Examining the results of a landmark dispute between Facebook and the German province of Schleswig Holstein, data protection experts from Pinsent Masons, the law firm behind Out-Law.com, clarify the issues.
This edition of Out-Law Radio features Marc Dautlich, Stephan Appt and Lore Leitner and is the first in a short series focusing on data protection law. The next instalment will be published next week.
Here is the transcript of the podcast:
Out-Law Radio, 12th September 2013
Different countries have different data protection laws and within Europe different interpretations of EU Data Protection Law so when international companies like Facebook or Google hold lots of very personal information about us and have offices and users all over the world whose laws applies? A few cases including one involving Facebook in the German Province of Schleswig-Holstein give us some clues. Data Protection experts from international law firm Pinsent Masons discuss the thorny issue of which law governs the treatment of Europe's online personal data.
Marc Dautlich: I am Marc Dautlich, head our information law team at Pinsent Masons based in the London office. The question we have got is which jurisdiction applies to my data processing activities in the European Union and I have a couple of colleagues with me who are just going to introduce themselves.
Stephan Appt: My name is Stephan Appt, I am based in the Munich office of Pinsent Masons and also specialise in data protection Law.
Lore Leitner: I am Lore Leitner, I am based in London and I am part of the data protection team.
Marc Dautlich: Perfect. Thank you both. So I want to start by asking Stephan a little bit about this case, we have got a really important issue here, Facebook and one of the provincial German Data Protection Regulators in Schleswig-Holstein and the German courts have been at odds about who has jurisdiction over Facebook's activities in Germany. Stephan can you tell us a little bit about the background of the case and why it is an important decision for everyone, not just Facebook?
Stephan Appt: Sure Marc. As you have already said there was an issue between the Local DPA in Schleswig-Holstein and Court of Schleswig and the subject matter of this case was that the Facebook Policy actually does not allow Facebook users to register their accounts using pseudonym, the policy requires that you use your real name and it happened that people situated in Schleswig-Holstein, they registered or some of them have registered under pseudonyms and Facebook blocked their accounts and that triggered action by the Data Protection Authority sending a warning letter to Facebook Inc in Palo Alto saying basically, "Dear Mr Zuckerberg please unblock these accounts otherwise if you do not comply with this German law requirement then we will issue a fine of €20,000".
Marc Dautlich: So Facebook at this point said, "well we are not subject to the German law because we are based in Ireland," is that right?
Stephan Appt: Exactly that is exactly the case there is a Facebook entity situated in Ireland, the Facebook Limited and then the discussion arose which entity is actually processing personal data in this case because that would have immediate effect on the question which law is actually applicable and which authority is actually competent to review such data processing and there the decisive or the most important part, the court had to consider here was whether the country of origin principle that provides for the applicability of Irish Law in this instance.
The DPA argued that as the Irish entity is not in control of the data processing and does not decide what happens with the data that has been processed therefore the country of origin principle would not bite in this case and it would not be an establishment that would be pre‑conditioned for this principle to apply.
Marc Dautlich: Facebook said on the facts that is all wrong because the German entity is not involved in this sign up process where users are signing up, is that right?
Stephan Appt: They said well that is the second line of argumentation that the Data Protection Authority tried to use, they said well we have this German entity as well and they presumably are processing data which Facebook denied and the court also assumed this was not the case so there was no German entity that could be considered as a data processor or controller in that case which would lead to the result that German law is not applicable but still due to the fact that they accepted that it does not matter whether the Irish entity is in control of the data processing for the applicability of the country of origin principle still Irish law would apply here.
Marc Dautlich: And so in this particular case obviously this was very important to Facebook because of a specific difference between Irish law and German law, namely this business of pseudonyms and whether you are allowed to sign up using a pseudonym instead of your real name and details but the principle that would apply to any business would it not, that is operating across Europe whether they are based somewhere in Europe or for that matter outside it?
Stephan Appt: From most of the legal observers perspective this should have been probably a clear cut case for the country of origin principle to apply but you have also, you must consider the fact that German data protection authorities, there is a trend that they pick up issues and seek a way as to how they can establish competence and just recently they have started to get after the big names like Facebook, Apple and Google and that is just a fact that entities or businesses have to take into mind.
Marc Dautlich: So there is an issue here about some how can I put it, Schleswig Holstein throwing its weight around, if I can put it that way. I just want to bring Lore into this at this point and just try and get a perspective on the position in France because this country of origin principle as I say is really important to any business that is operating across borders within the single market. Lore is the French approach roughly the same as we are talking in Germany that the court took or is it a different stance?
Lore Leitner: Well, for starters the approach the CNIL would take, which is the French data protection authority, would be completely the same so as you know you this country of origin principle that is also applicable in France because of the European Privacy Directive so that means that the data controller if he carries out processing in the framework of his establishment in France, his subject to the French data protection law so the way the CNIL approaches this is that they look at this concept establishment and they try to interpret that as broad as possible.
So, because there is no definition of establishment under the Data Protection Act, they will often try and look other the areas of law and to see how they can steal ideas, kind of and apply those to a certain data protection law case and then have them interpret as broad as possible. So often they will go and look at tax law because establishment is also a concept that is known and the French tax law and they will make the decision that you are subject to French data law as soon as you have an actual and regular activity on the French territory and that data processing is involved in the activities on the French territory.
So they will not look at the legal forum of the establishment on the French territory or they will also not look at how you define it yourself. As soon as French law is applicable you are also subject to all the fines and all the specific requirements.
Marc Dautlich: So goodness me, in France we have got to think about tax law not just data protection law because that is way that the French or one way that the French approach the interpretation of where is your place of establishment. We have been talking about, in summary it is the location of the establishment within the EU that carries out the data processing activities that is key to this question, is it not? It is not where the data is located necessarily, that is not the conclusive issue and if you have more than one establishment as in the particular case with Facebook, so they have Facebook GMBH in Germany but it is doing and Facebook Limited in Ireland that the German entity is not involved in the activity that is complained of, that is irrelevant then, is it not that German entity because that is not relevant for the discussion, is it not Stephan?
Stephan Appt: That is correct but on the other hand if the Hamburg entity would have been active in data processing as well in addition to Facebook in Ireland then actually both legal regimes would have been applicable as it just leads to maybe funny results.
Marc Dautlich: Well let us end on a good note, when if the new proposed general Data Protection regulation comes in the EU in theory at any rate that is going to harmonise the situation so that we will not have differences of substantive Data Protection Law as between, in this case Ireland and Germany, where it really matters which forum is the right one. That is the theory of it anyway. Thank you both very much.
For more about Pinsent Masons International our data protection law practice see Pinsentmasons.com. For news and updates on data protection and all other kinds of business law see Out-Law.com..