MEET THE AUTHOR SERIES • 7 NOVEMBER 2018
Summary by Laura Drechsler, FWO, Brussels Privacy Hub, LSTS, VUB
On 7 November 2018, the Brussels Privacy Hub hosted the fifth edition of its Meet the Author Series with Mistale Taylor (Utrecht University) discussing her doctoral thesis “Transatlantic Jurisdiction Conflicts in Data Protection Law: How the Fundamental Right to Data Protection Conditions the European Union’s Exercise of Extraterritorial Jurisdiction”.
The seminal work exploring jurisdictional issues connected to the EU’s data protection rules was debated by Anna Buchta (EDPS), Frederik Zuiderveen Borgesius (University of Amsterdam/LSTS) and Hielke Hijmans (Brussels Privacy Hub).
The event started with an overview by Mistale Taylor of the main points in her doctoral thesis. She highlighted that her research angle was based on public international law and originally started with the question whether extraterritorial jurisdiction can be justified by global values. Taking data protection as a regional value for the European Union (EU), the research concretely looked at permissible bases in public international law for the EU to exercise jurisdiction, studying in detail the potential justifications of positive obligations under fundamental rights law, territory and personality.
To specify the research, the thesis applied the findings to three major case studies in a transatlantic context between the EU and the United States (US), namely the value conflict between data protection and security, data protection and freedom of expression, and data transfers as enabler for trade and commerce. One main conclusion of the research was that EU data protection laws have a normative effect as they are setting a global high standard for data protection. However, in a transatlantic context this standard-setting is met by a push-back from the US, who sees its sovereignty encroached upon. The thesis proposes certain pathways how to solve this conflict by using public international law as a limitation to the jurisdiction the EU can exercise.
Hielke Hijmans followed this introduction by some general remarks and questions. He noted that the EU was increasingly taking on the role of championing its values on human rights and democracy in the wider world, which also serves as justification for wider applicability of EU law.
However, according to Hijmans it remains unclear what the core values and principles of the EU that should be exported under this justification are. Regarding the field of data protection, what would be the core data protection rules the EU should be promoting? Regarding the different justifying avenues explored in the thesis, concretely permissibility, general link to the EU and balancing of interests, how would they be applied in Case C-507/17 (Google CNIL case) currently pending at the Court of Justice of the European Union (CJEU), where the question is precisely on the territorial scope of the right to erasure under EU data protection law?
Finally, Hijmans observed that questions regarding jurisdiction in data protection issues are closely intertwined with questions on jurisdiction on the internet in general. Potential options explored in the book for jurisdiction are: jurisdiction based on effects, or active or passive personality principles (meaning a potential link with the residence or nationality of a person). None of them can lead to a perfect answer for internet jurisdiction. In the end, it is not so clear when EU data protection law applies (or even should apply).
These introductory interventions were followed by critical remarks by Anna Buchta, who highlighted the practical relevance of the thesis. She started by doubting that an international agreement setting some core standards for data protection would be realistic as currently the EU does not seem to have the power to effectively negotiate them. Neither Safe Harbour, the Privacy Shield nor the Umbrella Agreement (though technically not international agreements) are entirely satisfactory in their outcome from a data protection perspective. Nevertheless, in case such agreements were being negotiated, Buchta argued for using Article 8 of the Charter of Fundamental Rights of the EU (CFR) together with Article 16 Treaty on the Functioning of the European Union (TFEU) as the starting point for figuring out the core principles of data protection (an analysis taken up by the CJEU in Opinion 1/15). Starting from these provisions the core principles would be: legal basis, necessity and proportionality regarding the purpose of processing, protection of sensitive data, data subject rights of information, access, action and redress, and oversight with a degree of independence (which is up for debate). She noted that these standards should be similar for both adequacy agreements and international agreements on data transfers, even though both things might not be the same thing, and that they are more limited than the proposals of the data protection authorities (DPAs) brought forward in the Article 29 Working Party (WP29) opinion on an adequacy referential.
Buchta continued by exploring the jurisdictional issues in the pending Google CNIL case (C-507/17). She observed that the question in this case is essentially whether the delisting that should follow a successful request based on the right to erasure should concern only the Google results in the country of the applicant or should apply to Google results world-wide. She estimated that the CJEU will probably not concentrate on the potential justification of its jurisdiction under public international law but will focus on the effective ensuring of EU fundamental rights. This was the approach the CJEU also took in the Google Spain case, where a main motivation for the CJEU’s decision was arguably the wish to avoid the possibility of circumvention of EU fundamental rights law by using certain business models where there is no EU controller (currently used by most US online giants).
She further expressed her hope that the CJEU will also take the origins of the “right to be forgotten” (right to erasure) into account, which stems from criminal law and concerns the right to regain a clean slate on one’s criminal record after a certain period of time has elapsed and any punishment for the original crime is completed. As such, it fulfils an important role in any criminal justice system as it allows certain offenders a second chance to integrate into society. If a delisting request should be based on such reasoning, there would be no reason, in Buchta’s opinion, why such information should still be accessible in the US when it was removed in the EU. Additionally, she highlighted that delisting information was not the same as deleting it, as the accessibility of the original source remains untouched (it just becomes less easy to find).
Finally, Buchta discussed the importance of territory as a connecting factor for jurisdiction. She pointed out that even though Article 3 General Data Protection Regulation (GDPR) does not mention territory any longer, it does not mean in her opinion that territory has lost importance compared to Article 4 Data Protection Directive (DPD).
Buchta also explained that as the thesis points out it remains unclear who is protected as a data subject under the EU Fundamental Rights Charter (CFR). While the CFR proclaims that it applies to anyone, it does not apply to all situations, as it is limited to EU institutions or situations where EU law applies by virtue of Member States implementing it. As such, even certain intra-EU data protection situations might be outside the scope of the CFR, for example data protection in national elections (though there exist different opinions on this). Furthermore, Buchta criticised the notion of basing jurisdiction on residency in the EU, as the EDPS fears that such a link could exclude many people normally entitled to data protection rights in the EU without permanent official residence status, such as students, mobile workers, cross-border providers, migrants or asylum-seekers. Currently for example, British EU officials are having issues proving their residence in Belgium to claim Belgian nationality as their time with the EU institutions in Brussels is not always counted for the required residence periods.
Final critical remarks were offered by Frederik Zuiderveen Borgesius, who praised the clarity of the thesis as the topic is very multi-layered and complex. He especially agreed with the proposed solution in the thesis to the pending Google CNIL case. In short, the thesis proposes that, if a delisting request is successful, Google should delist search results for the name search only for search engine users with an IP address from Europe.
He admits that this would not be a perfect compromise but it would take into account that countries outside of the EU might have legitimate reasons to resist delisting based on their valuing of freedom of expression (this is especially true for the US, where freedom of speech has a very high constitutional value).
He elaborated that such an approach could be potentially counter-argued by arguing that an EU fundamental rights perspective would prevent protected rights from being violated in third countries. Zuiderveen Borgesius feared however that the CJEU might take an activist approach and decide in favour of CNIL in the Google/CNIL case, and that the CJEU might leave such pragmatic compromises aside.
Before the debate with the audience, author Mistale Taylor was given an opportunity to react to remarks and questions received. She started by pointing out that the EU should be restrained when defining core data protection principles to be included in international agreements, to avoid a push-back on the grounds of sovereignty. These principles should include that processing is lawful, that there is purpose limitation and specification regarding the purposes data is being processed for, the need for a data subject to be informed about the purpose of processing ex ante and for the controller to show an additional legal basis if he or she plans to use the data for other purpose, data quality including limitations on the time period data can be retained for, and accountability and fairness as guiding principles for the whole processing. Other elements such as particular data subject rights, independent data protection authorities or protection of sensitive data, Taylor considered as very EU specific. They might not be of relevance or feasibly incorporated into all international agreements. In her opinion the CJEU in Opinion 1/15 was too detailed and technical, making the negotiation of meaningful international agreements more difficult as not all its suggestions could be incorporated into subsequent agreements.
Regarding the pending Google CNIL case, Taylor puts forward that the assessment developed in her thesis might lead to a better understanding of the issues at hand. Firstly, in respect of the permissive principles under public international law for jurisdiction, the EU could probably rely on its human rights obligations to justify a certain extraterritorial reach of the right to erasure.
Data protection as an EU fundamental right means that the EU is obliged to respect, protect and fulfil this right within a wide jurisdictional scope. To limit this wide scope, the public international law concept of jurisdiction based on territory can provide an important first step. In data protection such territory can be based on subjective (the territory where the action at hand was initiated) or objective grounds (the territory where an act is consummated). Additionally, personality-based anchors such as nationality or residence could play a role. In a nutshell, this could justify the EU exercising jurisdiction over their data subjects, with the limitations posed by the principles of personality and territoriality. Further mitigating factors will then be needed to restrain any overreach, such as reasonableness as a subset of comity and the balancing of state interests respecting the plurality of the legal order.
In Google CNIL, this means there needs to be a sufficient connection between the EU and the situation to justify EU jurisdiction. This should pose no problem as such link was found in Google Spain based on an EU establishment of a Google subsidiary whose activities are inextricably linked to Google Inc. After having established this territorial link, the different interests and fundamental rights at issue need to be balanced, such as freedom of expression, data protection, state sovereignty, or an interest in global information sharing. Within this balancing, Taylor argued that reasonableness needs to have a role. From such a reasonableness assessment, it would seem to go too far and encroach on US sovereignty and the principle of non-interference to ask Google to implement each successful delisting request on a global scale. Instead, to be within reasonableness, only people accessing search engine results from any country in the EU (as determined by geo-location technologies or IP address) should see redacted results according to the delisting request. Regarding the potential decision of the CJEU, Taylor puts forward that the European Commission seems to side with Google in the case fearing potential global consequences should the CJEU find such a wide application of the right to erasure. According to her, the CJEU might focus on guaranteeing an implementation of the right to erasure that would be effective in the whole EU.
Finally, she focused on the question of territory as a jurisdictional link. Recent formulations on territorial scope in data protection texts, such as the GDPR or the modernised Convention 108, refer to activities “in the Union” or “in the jurisdiction of the Member State”, these more abstract terms could translate to a looser concept of territory potentially showing a lessening of the importance of differentiating between extraterritorial and territorial jurisdiction.
The presentations were followed by a lively debate with the audience, discussing further potential limitations of the concept of territory, the implications of the Google CNIL proceedings and the need to allow different cultural valuation of fundamental rights to play a role.
Keep up to date of our activities and developments. Sign up to our newsletter:
Copyright © Brussels Privacy Hub