What the Ashley Madison case highlights about jurisdiction in data protection cases

Personal data, including names, addresses, phone numbers, encrypted passwords and email addresses, belonging to millions of the website's users has been posted online by hackers, raising questions over the security measures the company deployed to protect the confidentiality of the information.

It is so far unclear whether the data breach stems from failings that would constitute a breach of the data security requirements under EU data protection laws.

However, there is also a lack of clarity over whether data protection authorities in the EU would, in any case, have the jurisdiction to take enforcement action against Ashley Madison if it decided the breach merits such action.

Whether or not users of the website based in the EU would be able to raise separate compensation claims against the company under data protection laws in their country is similarly open to debate.

Ashley Madison's operations

Ashley Madison is owned by Avid Life Media, a Toronto-based business that owns a number of "innovative dating brands". Avid Life Media has staff based elsewhere in the world too, including in Cyprus.

By signing up to the Ashley Madison website, users agree that their relationship with Ashley Madison is governed by Cypriot law and that Ashley Madison is based in Cyprus. The terms of use also specify that only the Cypriot courts have jurisdiction to hear cases brought against the company.

The scope of the EU's data protection regime

The EU's Data Protection Directive states that where personal data processing is carried out by a data controller with an establishment in an EU country then the processing must adhere to the national data protection laws of that country. The Directive makes clear that organisations based in multiple EU countries must abide by each of the different data protection regimes with respect to their personal data processing in those countries.

Businesses that do not have an office in the EU can also fall subject to the Directive, however.

Where a data controller does not have an establishment in the EU but "makes use of equipment" in an EU country to process personal data then the national data protection laws of that EU country apply to that processing. This is unless the equipment is "used only for purposes of transit through" the EU.

Which data protection laws are Ashley Madison subject to?

Canada's data protection authority, the Office of the Privacy Commissioner of Canada (OPCC), is leading international efforts from privacy watchdogs to understand more about the circumstances around the Ashley Madison data breach. It has today launched a joint investigation into the data breach with Australia's information commissioner and has said it will be cooperating with "other international counterparts".

A spokesman for the OPCC told Out-Law.com that it has "been in communication with the company to determine how the breach occurred and what is being done to mitigate the situation". It has also "been in contact with other data protection authorities" around the world "given the global scope of the breach".

The UK's Information Commissioner's Office (ICO) is among the other data protection authorities taking an interest in the case.

However, there is a question mark over whether the ICO would be able to take enforcement action if it was determined that the data security measures implemented by Ashley Madison were inappropriate.

This is because it has yet to be clarified if the UK's Data Protection Act applies to the company's data processing.

It is not clear whether Ashley Madison, despite serving people based in the UK, actually has any 'establishment' in the country, for the purposes of the Data Protection Directive. It is also unclear whether Ashley Madison can be said, for the purposes of the Directive, to 'make use of equipment' in the UK to process personal data.

There is no clear definition, either under the Data Protection Directive or EU case law, of what constitutes 'equipment' for processing personal data.

The Article 29 Working Party, a committee of representatives from all the national data protection authorities in the EU, has offered its view on the issue, but without clarification from the courts the term will remain open to interpretation.

According to a Working Party opinion issued in 2010, determinations on whether non-EU businesses 'use equipment' in an EU country to process personal data should be made on a case-by-case basis.

The Working Party favoured a broad interpretation of the term and said that it is possible to determine that non-EU businesses are subject to data protection laws in the EU if they use cookies or Javascript banners to collect personal data from the computers of online users of the service they provide.

It also said that non-EU businesses that collect personal data about EU-based consumers through software installed on their mobile devices can also be considered to be using 'equipment' to process personal data.

The intentions of businesses and their targeting or otherwise of EU consumers are factors that the Working Party said would help determine whether those businesses were subject to the data protection laws in the EU countries in which those consumers were based. It also said "it is not necessary for the controller to exercise ownership or full control over such equipment for the processing to fall within the scope of the Directive".

An argument might be put forward, if the Working Party's argument is to be run with, that mobile app providers all over the world are subject to the EU's data protection regime. This would, as the argument goes, be the case if they market their app at consumers in the trading bloc and they then collect personal data from those that install and use it.

An equally ubiquitous application of the EU's data protection framework is implied if you consider the extent to which website operators across the world use cookies to track site visitors.

What are the potential implications of all this for Ashley Madison in the UK?

People can access the Ashley Madison platform by visiting their website or through its mobile app. A reported 1.2 million people from the UK are registered users of Ashley Madison.

If the company's personal data processing is deemed to be subject to the Data Protection Act in the UK then the ICO could decide to take enforcement action against the company. It would be able to issue a fine of up to £500,000 if it considered the company had been responsible for a serious breach of the Act.

The Act requires, among other things, that data controllers implement "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

The Act also provides data subjects with a right to claim compensation if they suffer damage as a result of violations of a section of the Act by organisations that hold their personal data. Individuals may also be entitled to compensation from those data controllers if they suffer distress.

Organisations do have a defence to this right to compensation if they can "prove that [they] had taken such care as in all the circumstances was reasonably required to comply with the requirement [that it is alleged to have breached]".

Until recently it has been the generally accepted position that consumers that do not incur any financial loss from a breach of data protection laws by businesses are not entitled to compensation for that breach.

However, a ruling earlier this year by the Court of Appeal altered that conventional wisdom, meaning that people that experience distress, but no financial harm, as a result of a data breach can raise a compensation claim. That judgment is, however, the subject of an appeal before the Supreme Court.

Under the existing position established by the Court of Appeal, businesses could face potentially crippling pay out costs if customers en masse each raised even relatively modest compensation claims and those claims were upheld by the courts.

For example, if each UK user of Ashley Madison was to try to claim for, say, £1,000 in compensation over the data breach, the company could incur costs of up to £1.2 billion. Such a liability would have a critical impact on almost any business.

In addition, that liability would just account for compensation payable to UK customers. It has been reported that users of Ashley Madison are being invited to join class action lawsuits against Avid Life Media in the US.

Clear as mud

The extent of Ashley Madison's exposure to the EU's data protection regime has yet to be clarified.

The ambiguous terminology contained in the Data Protection Directive provides uncertainty on a key jurisdictional issue that affects businesses and consumers alike.

EU legislators are currently in the midst of negotiating a replacement for the Directive which it is to be hoped will clarify the issue.

The proposed new General Data Protection Regulation is set to apply to both businesses based in the EU and those based outside the trading bloc but that target services at EU-based consumers. Each of the EU bodies negotiating the new Regulation propose extending the scope of EU data protection laws to all businesses that offer goods and services to individuals 'in the European Union' or monitor their behaviour.

Non-compliance with the Regulation could cost businesses up to €100 million in fines, under the plans if the European Parliament's version of the proposed new law succeeds.

Luke Scanlon is a technology law expert at Pinsent Masons, the law firm behind Out-Law.com