Privacy & Information Security Law Blog

Early this week, the Article 29 Working Party issued its December 16, 2010 Opinion on applicable law, providing guidance on the scope of EU data protection law and the practical implications of Article 4 of the EU Data Protection Directive (95/46/EC, the “Directive”).

The purpose of the Working Party’s Opinion 8/2010 (the “Opinion”) is twofold.  First, it intends to clarify the current scope of EU data protection law with regard to the processing of personal data within and outside the European Economic Area (the “EEA”).  The clarifications by the Working Party are aimed at enhancing legal certainty for data controllers, providing a clearer framework for individuals and stakeholders and avoiding legal loopholes and potential conflicts between overlapping national data protection laws.  Throughout the Opinion, practical examples are used to demonstrate the clarifications, such as in the context of centralized HR databases, geolocation services, cloud computing and online social networks.  Furthermore, in light of the general revision of the EU data protection framework, the Opinion includes suggestions to improve the existing applicable law provisions in the EU Data Protection Directive.

Key Provision of the Directive

The Directive’s key provision concerning applicable law is Article 4, which states that each Member State must apply its national provisions:

• “…where the processing [of personal data] is carried out in the context of activities of an establishment of the controller on the territory of a Member State” (Article 4(1)a, emphasis added); or,
• If the controller is not established within the EEA, but makes use of equipment located in a Member State to process personal data, unless such equipment is used only for transit purposes (Article 4(1)c).

Clarifications of the Existing Rules on Applicable Law

The Opinion provides guidance to assist companies in the interpretation of Article 4 of the Directive.  In particular, according to the Working Party, Article 4(1)a means that:

• If a data controller has one establishment in the EEA, there will be one law for the whole EEA, depending on the location of this establishment (except with regard to security measures, where the laws of the country where a possible processor is located may apply); and,
• If a data controller has several establishments in the EEA, the application of national legislation will correspond to the activities of each establishment.  This means that if a controller has establishments throughout the EEA, multiple laws may apply to a processing activity depending on the level of involvement of each establishment.

In order to determine which national laws apply to which activities, the Working Party provides guidance on a number of key concepts, and clarifies that:

• An establishment on the territory of a Member State implies the effective and real exercise of activities through stable arrangements, regardless of whether the establishment has legal personality there.
• The notion of “context of activities of an establishment” means that the place where data are located or where the controller is established is not decisive in determining which law applies.  Rather, it is the location of an establishment that carries out data processing activities that should be considered.  The degree of involvement of that establishment in the processing activities and the nature of these activities are also key to determining whether national data protection law applies.  Such analysis calls for a functional approach that asks, “what is the true role of each establishment, and which activity is taking place in the context of which establishment?”

The Working Party also provides clarifications on Article 4(1)c, regarding controllers located outside the EEA and states that:

• Article 4(1)c only applies when Article 4(1)a is not applicable (i.e., “when the controller does not have any establishment that is relevant for the activities in question in the EEA”).  However, Article 4(1)c should apply even if the controller does have an establishment in the EEA, if the processing does not take place in the context of activities of that particular establishment (i.e., if the establishment located in the EEA is not sufficiently involved in the data processing); and,
• The Working Party considers the term “equipment” to encapsulate the broader concept of “means,” which is more akin to the wording used in other translations of Article 4(1)c.  In certain circumstances, the term “means” may include technical as well as human intermediaries (for example, surveys and questionnaires).  The Working Party recognizes that this broad interpretation may sometimes lead to undesirable consequences, such as a possible universal application of EU data protection law, and provides recommendations for improvement as described below.

Suggestions for Improving the Directive

The Working Party’s main suggestion for the improvement of Article 4(1)a is to shift back to the country of origin principle.  This would mean that only the laws of the Member State in which the main establishment of the controller is located would apply.  Pursuant to the current “distributed” approach, different national laws may apply to different establishments of the controller within the EEA depending on the “context of the activities” criterion.  However, further harmonization of national laws, including of security requirements, would be necessary in order to avoid “forum shopping” issues.

For Article 4(1)c, in situations where the controller is established outside the EEA, the Working Party suggests that additional criteria be developed to ensure that a sufficient connection with the EEA territory exists.  Such criteria may include:

• Introducing the concept of “targeting of individuals” or a “service oriented approach.” Under this criterion, EU data protection laws would only be triggered if there is substantial targeting of individuals within EEA countries.  The Working Party notes that this would be akin to the criteria used by the U.S. Federal Trade Commission with respect to enforcement of the Children’s Online Privacy Protection Act, which is triggered, among other things, if U.S. children are targeted by a website.
• Redefining the “use of equipment/means” criterion.  The current application of this criterion has shown undesirable consequences, such as a possible universal application of EU data protection law.  The Working Party advises that this criterion could be kept from a fundamental rights perspective and in a residual form.  According to the Working Party, only a certain limited number of data protection principles should apply in these cases, such as the legitimacy and security principles.

As a final recommendation, the Working Party calls for greater harmonization and clarification regarding the requirement that data controllers located outside the EEA appoint a representative within the EEA.

View the full Opinion.