It’s been said before but the CJEU’s decision on the Google Spain v. AEPD case was a real game changer. Every law student on the planet learns that there are a number of sources that contribute to the legal system of a given jurisdiction. First and foremost are the statutes adopted by – in the best of cases – democratically elected parliaments. Then there are a myriad of legal obligations that arise from various sources ranging from regulatory guidance to market practices. Ultimately, the most authoritative source is the case law that is constantly emerging from courts’ decisions. Data protection law is no exception and the CJEU has emerged as the ultimate interpreter of the legislator’s will.
Arguably, the most influential element of the entire Google Spain decision is the novel interpretation of the 20 year old criteria to determine the applicability of EU data protection law. The CJEU took the view that a non-EU based data controller is subject to European data protection law if a local EU establishment of that controller is involved in some way in the activities of the controller, even if that establishment is not actually dealing with the data at issue. The aim behind this reasoning is simply to bring within the scope of application of European law any organisation that may not have physical data operations in the EU, but has some kind of presence connected to its use of personal data.
Perhaps unsurprisingly, this interpretation has not just been embraced but stretched to the limit by some EU data protection authorities. Barely a year on since the famous decision, EU authorities across Member States are confidently claiming their competence over data handling activities that not so long ago would have been off-limits. The boldest claim to date has come from the Belgian Privacy Commission, which has stated that it is “undeniable” that it has the competence to take measures against the processing of personal data of Belgian individuals by Facebook, irrespective of Facebook’s acknowledgment that the controllership of all of its European users’ data rests with its Irish entity. In a nutshell, the long accepted view that a data controller established in an EU Member State and operating on a pan-European basis was only subject to the law of that state and the scrutiny of that state’s regulator is being blown out of the water.
Given the status of the EU data protection legislative reform and that in all likelihood the existing law will be replaced by a new one in a matter of months – give it a year – we may never get a court decision on this point before it becomes completely academic. In other words, the applicability of the law point will fall away as multiple national regimes will be superseded by a single framework. However, what will not be an academic issue and will in fact become a crucial aspect – both strategically and practically – of data protection compliance is the question of which national authority will be competent to regulate the EU data activities of a global organisation. To its credit, the European Commission tried to tackle this in its legislative proposal through the ‘One Stop Shop’ concept. Ironically, under that proposal, the Irish authority would be exclusively competent to oversee all of Facebook’s European data activities, but life is never that simple.
One of the big question marks looming over the data protection legislative reform currently taking place is what will happen to the One Stop Shop model. Will the European Commission’s original idea prevail for the sake of simplicity and harmonisation? Will such a concept be simply unviable in an increasingly disjointed European Union? Or will the political complexities of our time be reflected in an unwieldy mechanism that leaves us with the same or even greater uncertainty about which regulator is the competent one?
Whatever is the correct answer, the need for global organisations to figure out how to structure their data protection compliance in Europe and how to interact with regulators is a very pressing one. The consequences of getting privacy right have never been more critical. Enforcement risks aside, responsible data-dependent organisations are eagerly looking for ways to build workable programmes that meet the legal requirements and regulatory expectations. Having an open dialogue with data protection authorities has become a central piece of many organisations’ attempts to make privacy compliance a strategic business driver. So it is certainly important not only to understand the expectations of the regulatory community but also to adopt an effective level of cooperation with the relevant authorities.
The way things are going, the phrase One Stop Shop will be an oversimplification of the right strategy. A credible approach will probably rely on a multi-party outreach strategy where one authority becomes the focal point of interaction whilst others are kept actively in the loop. The precise level of cooperation that pan-European organisations will be expected to have with each of the data protection authorities will vary from case to case, but one can only assume that active communication, openness and a degree of mutual trust will be a good place to start.
This article was first published in Data Protection Law & Policy in May 2015.