One of the great difficulties facing data protection lawyers is how Directive 95/46/EC copes with the internet age. How do you work out where processing has happened? How do you work out who is responsible? Where can you sue them or otherwise take action against them? What law applies (important given that the Directive has been implemented in different ways in different Member States)?

Article 4 provides some of the answer:

“1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

(b) the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law;

(c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

2. In the circumstances referred to in paragraph 1 (c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself.”

The decision of the CJEU Google Spain gave some consideration to these matters, but while it certainly established that one could pursue Google through it having a presence in a Member State, it did not really deal with the smaller fry.

However, the CJEU’s decision today in Case C-230/14 Weltimmo v Nemzeti (judgment of 1 October 2015) provides a bit more clarification. Weltimmo (as Anya’s post on the AG’s Opinion has previously discussed) is a company registered in Slovakia, but which the Hungarian data protection authority wished to fine for breaches of the Directive. Those breaches related to the activities of property dealing websites Weltimmo ran which advertised properties in Hungary and revealed various items of personal data of the property owners. What factors were relevant in working out whether Weltimmo was established in Hungary under Article 4?

Article 4, stressed the Court, was the key to determining the national law applicable: at [23]. The Directive had prescribed a broad territorial scope (see Google Spain): at [27]. In the particular context of the internet, said the Court without particularly expressing why there should be different tests for different types of business, when working out whether Weltimmo was also established in a State where it was not registered, one had consider “both the degree of stability of the arrangements and the effective exercise of the activities” in the light of “the specific nature of the economic activities” concerned: at [29]. (No mention of where there was not a clear economic activity.) An establishment can be shown by “any real and effective activity – even a minimal one – exercised through stable arrangements“: at [31].

What is relevant then? The presence of just one representative can be sufficient if acting with a sufficient degree of stability through the presence of the necessary equipment for the provision of the services (i.e. not necessarily where the servers are): at [30]. Running a website about properties in Hungary, written in Hungarian, which charges advertising fees constituted a real and effective activity in Hungary: at [32]. The presence of a representative in Hungary, who acts as a point of contact with the Slovak company and the data subjects, and a Hungarian bank account, and a Hungarian letter box for the business, were all capable of showing an establishment: at [33]. What is not relevant is the nationality of the data subjects: at [40] (which is consistent with the classic approach to jurisdiction under the Brussels I regime). The processing itself must take place in the context of the activities in Hungary, but the Court had no difficulty with that: at [38]. As a result, Hungarian law applied to Weltimmo: at [39].

This was all fact-specific of course, but it does give some fairly extensive guidance, and certainly indicates that any website aimed at a particular jurisdiction, plus some sort of physical presence of some sort, will be sufficient to amount to an establishment. Company registration elsewhere will not be an escape route.

There was also a second issue, which was technically obiter, about when a national regulator can take action against a data controller who may be subject to foreign laws. The CJEU strongly emphasised that it was the obligation of the regulator under Article 28 to take action within its own territory and to investigate every complaint made to it, irrespective of the applicable law: at [54]. What it cannot do, of course, is try to fine a controller not established in its own State: at [56]. So, if having investigated, the regulator reaches the conclusion that the controller is established elsewhere and subject to a foreign legal regime, it must ask the relevant national regulator to take over the case and impose any penalty based, in part, on the information provided between regulators: at [57]. Cross-border regulation might not yet be at a one-stop shop level, but it is meant to have teeth.

Weltimmo is a genuinely important decision and provides some very helpful guidance. By no means does it answer all of the questions, particularly outside of the internet, and it does not come close to the beginning of the end. But perhaps, following Google Spain, it is the end of the beginning.

Christopher Knight

More breaking news on Schrems – the word on the street is that judgment is due to be given by the CJEU on 6 October. This means we will only have to wait another week before discovering whether the Court has followed the Advocate General’s hugely politically controversial opinion.

I should add that on 6 October judgment is also due to be given by the CJEU in East Sussex v Information Commissioner (case on charging for property search information under the EIR). Of course no one could doubt the importance of the East Sussex case (and I’m not just saying that because I appeared for the Commissioner) but I have a sneaking suspicion that Schrems may yet steal our thunder…

Anya Proops

Breaking news: AG Bot has just delivered his Opinion in Case C-362/14 Schrems v Data Protection Commissioner (the Facebook case) holding that the Commission decision establishing the ‘Safe Harbour’ scheme in the USA does not eliminate or reduce the national authorities’ duties to assess compliance with the Directive 95/46/EC, and in any event, the Safe Harbour decision is invalid in the light of the Snowdon revelations about mass data surveillance in the USA. The full text of the Opinion will be published, and doubtless discussed here, later on but if the CJEU agrees, it is a very significant decision.

I will be on BBC World later this morning discussing the implications of the Opinion.

Christopher Knight

In July of this year, I blogged about a judicial review case involving a challenge to the ICO’s decision that Google had not breached the DPA when it refused a ‘right to be forgotten’ application made by a Mr Khashaba. My post confirmed that the court had refused permission for Mr Khashaba to proceed with his claim on the papers. Mr Khashaba has since gone on to renew his application for permission. That application was also refused. The judge, HHJ Simon Barker QC (sitting as a Deputy), concluded that permission should be refused on the basis that civil proceedings against Google constituted an adequate alternative remedy, even if those proceedings required service out of the jurisdiction. The judge went on to observe that civil proceedings also constituted a more appropriate vehicle for resolving Mr Khashaba’s claim. This was particularly because they would allow the evidence in the case to be more effectively tested, with the result that the judge would be in a position to make a more effective and informed assessment of the reliability of the claimed consequences of continued listing of the relevant webpages (cf. judicial review proceedings where typically there is no cross-examination of witnesses). Mr Khashaba was ordered to pay the ICO’s costs. Christopher Knight represented the ICO.

What is notable about this judgment is that it suggests that the courts are alive to the fact that assertions that particular data ought to be forgotten should not be taken at face value but should instead be rigorously tested. Obviously one is left with the abiding questions of whether Google, as opposed to the authors of the relevant source websites: (a) is itself best placed to undertake that testing exercise and (b) will be sufficiently incentivised in any individual case to mount a defence to the claim. It will in any event be interesting to see whether Mr Khashba does now seek to pursue his case against Google.

Anya Proops

Anyone who has been following the litigation on charging for access to property search information under the EIR may like to know that the judgment in East Sussex v Information Commissioner is due to be given by the CJEU on 6 October 2015 (for further information on the background to the case and the Advocate-General’s Opinion, see here). One of the important issues in the East Sussex litigation has been the risks which charging for environmental information may pose in terms of the potential dissuasive effect on applicants. It will be interesting to see whether the Government has an eye to such dissuasive effects as when it is thinking how to develop its proposals on fees in the GRC (see further Chris Knight’s post on the proposals here).

Anya Proops

An intriguing summary has emerged on Lawtel (subscription required) of a decision of the Chancery Division (John Jarvis QC) in a case called Hallows v Wilson Barca LLP, which suggests that the duties imposed on public bodies by the Freedom of Information Act 2000 (FOIA) can be relevant to the common law doctrine of legal professional privilege.

The decision appears to hold that lawyers who obtain documents from public bodies for the purpose of litigation (which would therefore normally be protected by litigation privilege) need to bear in mind the existence of FOIA and make that purpose clear otherwise they will be taken to have waived privilege.  Whether, on close inspection of the full judgment, this turns out to be a true description of the ratio decidendi remains to be seen, the case seems worth noting in any event.

The issue arose in the context of a claim brought by the claimant (C) against the solicitors (D) who had acted for him to register title to a plot of land.  C alleged that D had failed to register the fact that the land benefitted from certain rights of way which would materially affect the value of any development on the land.  C’s new solicitors in that claim (S) sought the advice from the local planning authority (LPA) on whether planning permission would be likely to be granted for any development on the land.

In making the request, S said it was doing so on a confidential basis, but did not mention it was being made in connection with the litigation between C and D.  The LPA provided the advice sought, which subsequently found its way into D’s hands via a FOIA request by D.  C sought an injunction restraining D’s use of that information in the proceedings between them on the basis that it was legally privileged.

The court agreed that the advice was prima facie protected by litigation privilege but said that requesters like S had to bear in mind that the LPA was subject to duties imposed by FOIA to provide information to the public.  Since no indication had been given that the advice was sought in the context of litigation, the court said that S had accepted that the information could come into the public domain by virtue of the local authority’s duties under FOIA and had therefore necessarily and impliedly waived any privilege which had existed.

In the alternative, the court said that even if it had accepted that privilege could still be maintained, it would not have been appropriate to restrain D from relying on the advice.  The way in which S sought advice was said to have run the risk that any privilege would be waived and D had also not acted improperly in making the request it did under FOIA or in reading the information once it had received it.

As noted above, the full analysis and implications may only become apparent if and when the full judgment becomes available and this was of course a decision in the context of private law proceedings rather than under FOIA.  Nonetheless, legal professional privilege is a common law doctrine and, unlike FOIA, is absolute in the protection it affords against disclosure.  The suggestion that the Act could influence the common law in this way is a very interesting one.

In practical terms, for those involved in planning law the decision sits alongside the decision in Tidman v Reading BC [1994] 3 PLR 72 (that LPAs do not owe a duty of care in providing such advice) as another important point for those making such requests to bear in mind.

Paul Greatorex

In case you have missed this vitally important piece of news (because I certainly did), the European Data Protection Supervisor has come up with an ingenious way of weaning you off playing Angry Birds. Yes, the EU Data Protection mobile app is now available at no charge for all data protection addicts – see here. Now, instead of getting on with some paid work, you can while away your time comparing the latest proposed texts of the draft General Data Protection Regulation. Joy!

Anya Proops

By way of a (limited) update, the current expected listing for the Supreme Court hearing in Google Inc v Vidal-Hall is May-July 2016. Plenty of time to get your damages claims resolved between now and then…

CK

It is not very often that this blog reports developments north of the Wall, but we like to make occasional forays, to check up on events of cross-border impact (and of course Common Services Agency and South Lanarkshire are just two examples of gifts from our Scottish brethren which just keep on giving). Assuming you’ll have had your tea, readers may wish to briefly glance at the recent judgment of the Inner House (the Court of Appeal for Scottish civil matters) in The Christian Institute v Scottish Ministers [2015] CSIH 64.

The case was a challenge to the Children and Young People (Scotland) Act 2014, an Act of the Scottish Parliament. Constitutionally minded readers will be aware that challenges can be brought against Acts of the devolved legislatures on grounds which would not be countenanced against an Act of the Westminster Parliament. Parts 1 to 5 of the 2014 Act form a comprehensive scheme intended to promote and safeguard the rights and wellbeing of children and young people. Part 3 provides for the preparation of three year “children’s services plans” for local authority areas designed to secure, inter alia, that children’s services are provided in a way which: best safeguards, supports and promotes the wellbeing of children; ensures that any action to meet their needs is taken at the earliest appropriate time; is most integrated from the point of view of recipients; and constitutes the best use of available resources.  Part 4 requires service providers to make available, in relation to each child or young person, an identified individual (“named person”), whose general function is to promote, support or safeguard the wellbeing of the child or young person, on behalf of the service provider concerned.

The challenge was to the creation of the named person, based upon various Convention articles – particularly 8 and 9 – which need not concern us here. That challenge failed. However, there was also a DP challenge: to “the sections of the 2014 Act which deal with the sharing of information are incompatible with the requirement of the European Parliament and Council Directive on Data Protection (95/46/EC), as read and applied in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.  For this reason also the provisions are ultra vires of the Scottish Parliament.  They run contrary to the Data Protection Act 1998.  The fact that data could be shared, when not strictly necessary, rendered the information sharing provisions (2014 Act, ss 26 and 27) incompatible with Article 7 of the Directive (criteria for legitimacy).  There were insufficient safeguards against the unlawful sharing of data.  There was no inbuilt “right to be forgotten”“: at [6].

It may be useful to set out the Inner House’s summary of the relevant provisions, at [12]-[14]:

“A set of provisions, contained in sections 23 to 27 of the 2014 Act, regulates requests to, and giving assistance by, service providers and the associated sharing and disclosure of information.  Distinct provisions apply according to whether: the named person functions are transferring from one service provider to another (s 23); a service provider is requesting help from another service provider (s 25); a service provider is required to provide information to the service provider (s 26(1)), and vice versa (s 26(3)).  A distinction is drawn between information sharing (s 26) and disclosure (s 27), according to the incidence of confidentiality.

A service provider must generally provide the service provider with information which is likely to be relevant to the exercise of named person functions (s 26(1) and (2)).  An equivalent duty is placed upon the service provider in the reverse situation (s 26(3) and (4)).  The views of the child require to be sought (s 26(5)).  The information holder may decide that the information ought only to be provided if the likely benefit to wellbeing outweighs any adverse effect (s 26(7)).  The holder may provide information if it is necessary or expedient for the purposes of named person functions. The sharing of information is not permitted or required where disclosure is otherwise prohibited or restricted, other than in relation to a duty of confidentiality (s 26(11)).  Thus, disclosure may be permitted, notwithstanding a breach of confidentiality, if the criteria in section 26 are otherwise satisfied and there is no other legal bar to it taking place. It is between service providers, and not individual named persons, that the specified information may be shared.  Where information is to be provided in breach of confidentiality, the recipient must be informed of the breach, and must not provide the information to any other person, unless otherwise permitted or required to do so by law (s 27).

In combination, the provisions are calculated to integrate services in order to secure the wellbeing of children and young people.“

The Inner House dealt with the challenge fairly swiftly. It set out the Charter provisions and those of the Directive, before noting that the Directive had been implemented by the “labyrinthine” DPA (not unfair), which was not said to have failed to properly or fully implement the Directive. There was, as a result, no need to go beyond the DPA itself: at [96]. The Court’s reasoning at [97]-[100] is admirably clear.

The 2014 Act was not a mechanism which trumped the DPA. “Section 26(11) of the 2014 Act expressly provides that, with the exception of rules on confidentiality, the information sharing provisions are not to be held as permitting, far less requiring, the provision of information when it is prohibited or restricted by virtue of an enactment or rule of law.  This makes it clear that the operation of section 26 involves compliance with existing law.  That includes the Data Protection Act 1998 and hence the rights of the Charter and the principles in the Directive.” There might well be breaches in individual cases but they could be resolved on their own facts rather than through an abstract challenge. There “is no need for the 2014 Act to incorporate data protection principles, such as the need for consent or other specific protections, including the destruction of out of date data, within its four walls.  The 2014 Act creates a regime involving child welfare which directs what should happen regarding the sharing of relevant information, but it assumes that the actions of those operating the system will comply with data protection principles.”

The 2014 Act did not, held the Inner House, involve the creation or collection of any new data; personal, sensitive or otherwise. The Court was obviously significantly influenced by the social policy of the legislation, seeking to introduce a system for the co-ordination and sharing of existing data in relation to children and young persons whereby situations involving a potential risk to a child’s or young person’s well-being, as defined, can more readily be identified and the relevant agency alerted. There was not a proportionality exercise taking place expressly, but the reasoning suggests pretty clearly what the answer would have been had there been one. See too at [102]-[103].

The challenge on DP grounds consequently failed, and the judgment is one which is easy to understand and follow. The need for a single, coherent, statutory scheme for child welfare information sharing which nonetheless complied with existing DP requirements was an unsurprisingly powerful pull for the Court of Session. It is a reminder that data protection is an important safeguard, but it is neither something which prevents agencies doing their jobs nor a trump card to be played in any and all situations. Carefully calibrated and structured schemes need not fear the DPA.

Christopher Knight