Positive ruling for US businesses adopting single EU controller model?
In two preliminary decisions, the Administrative Court of German Federal State Schleswig-Holstein ruled last week that two administrative acts which had been issued by the DPA of Schleswig-Holstein
In two preliminary decisions, the Administrative Court of German Federal State Schleswig-Holstein ruled last week that two administrative acts which had been issued by the DPA of Schleswig-Holstein (ULD) against Facebook Inc. and Facebook Ireland Ltd. cannot be enforced until a decision in the main proceedings is made (ref. nos. 8 B 60/12 and 8 B 61/12). What at first sight seems to be only a side aspect in the ULD´s battle against the handling of personal data by the world´s largest social network has some fundamental implications as the court denied the applicability of German data protection law on the company´s German activities at all.
In its preliminary decisions, the court followed Facebook´s argument that only Facebook Ireland Ltd. is relevant for the determination of applicable law, as its German entity solely provides supporting services (marketing and acquisition) and is not involved in the processing of personal data. Facebook Ireland would be the only European entity with direct control about user data of non-US users. Other European entities would not be involved in the processing of personal data. The court regarded it irrelevant whether Facebook Inc. (USA) would be the sole controller of personal data, or whether it would be joint controller together with Facebook Ltd. (Ireland), as Facebook Ltd. must be regarded as an establishment of Facebook Inc. which processes personal data in the course of its business operations. The court stated that Facebook Ltd., with its 400 employees and its infrastructure in Dublin "implies the effective and real exercise of activity through stable arrangements" within the meaning of recital 19 of the Directive, and thus fulfills the requirements for an "establishment" under Art. 4 (1)(a) of Directive 95/46/EC.
Further, the court stated it would not be relevant where the servers are located on which the data is stored and processed as Art. 4 (1) (a) of Directive 95/46/EC only requires that the processing is carried out "in the context of the activities of an establishment of the controller", so that Facebook Ltd. must be regarded as an establishment within the meaning of Art. 4 (1) (a) of Directive 95/46/EC even if the technical infrastructure is located in the US.
The background of the case is that the ULD had issued two identical administrative orders against Facebook Inc. and Facebook Ireland Ltd. in December 2012 to force the company to unlock aliased user accounts that had been locked by Facebook. The ULD regards Facebook´s policy that users must use full and correct names for their profiles to be in violation of German data protection regulation and the German Telemedia Act, which stipulate that an anonymous/aliased use of the internet services must be offered where possible. The ULD also made the order immediately enforceable, and only this additional element to the order was subject to the preliminary ruling of the court.
It must thus be borne in mind that the decision is only preliminary and based on a consideration of interests rather than a thorough legal consideration. The main criterion for the court was whether the interest of the DPA in an immediate enforcement supersedes Facebook´s interest in the suspension of the enforcement. The legal assessment, although part of that consideration, is not binding and will be further scrutinized in the main proceedings. Also, the DPA of Schleswig-Holstein has lodged a complaint against the decision.
Conclusions: In general, the decisions of the administrative court support the validity of a structure that various US internet businesses use in Europe to mitigate potential exposure to multiple EU data protection regimes, i.e. appointing a single European subsidiary to assume controllership of European users' personal data, while other European subsidiaries provide supporting services in the areas of marketing and distribution. However, the decision also shows that the setup of a European structure must be carefully shaped as the court put specific emphasis on the "stable arrangements" and the personnel and infrastructural configuration of the establishment. This makes clear that "letterbox offices" will not be accepted, and that only a legal setup that reflects the reality of the business may qualify as an establishment under the Directive.
As a further important point to note, the court also held that EU data protection law does not require the IT infrastructure to be located on European soil. In this regard, it must be noted that Directive 95/46/EC potentially allows for an opposing interpretation; and it should be closely monitored whether the position of the Administrative Court of Schleswig-Holstein finds support in potential appellate proceedings.
In its preliminary decisions, the court followed Facebook´s argument that only Facebook Ireland Ltd. is relevant for the determination of applicable law, as its German entity solely provides supporting services (marketing and acquisition) and is not involved in the processing of personal data. Facebook Ireland would be the only European entity with direct control about user data of non-US users. Other European entities would not be involved in the processing of personal data. The court regarded it irrelevant whether Facebook Inc. (USA) would be the sole controller of personal data, or whether it would be joint controller together with Facebook Ltd. (Ireland), as Facebook Ltd. must be regarded as an establishment of Facebook Inc. which processes personal data in the course of its business operations. The court stated that Facebook Ltd., with its 400 employees and its infrastructure in Dublin "implies the effective and real exercise of activity through stable arrangements" within the meaning of recital 19 of the Directive, and thus fulfills the requirements for an "establishment" under Art. 4 (1)(a) of Directive 95/46/EC.
Further, the court stated it would not be relevant where the servers are located on which the data is stored and processed as Art. 4 (1) (a) of Directive 95/46/EC only requires that the processing is carried out "in the context of the activities of an establishment of the controller", so that Facebook Ltd. must be regarded as an establishment within the meaning of Art. 4 (1) (a) of Directive 95/46/EC even if the technical infrastructure is located in the US.
The background of the case is that the ULD had issued two identical administrative orders against Facebook Inc. and Facebook Ireland Ltd. in December 2012 to force the company to unlock aliased user accounts that had been locked by Facebook. The ULD regards Facebook´s policy that users must use full and correct names for their profiles to be in violation of German data protection regulation and the German Telemedia Act, which stipulate that an anonymous/aliased use of the internet services must be offered where possible. The ULD also made the order immediately enforceable, and only this additional element to the order was subject to the preliminary ruling of the court.
It must thus be borne in mind that the decision is only preliminary and based on a consideration of interests rather than a thorough legal consideration. The main criterion for the court was whether the interest of the DPA in an immediate enforcement supersedes Facebook´s interest in the suspension of the enforcement. The legal assessment, although part of that consideration, is not binding and will be further scrutinized in the main proceedings. Also, the DPA of Schleswig-Holstein has lodged a complaint against the decision.
Conclusions: In general, the decisions of the administrative court support the validity of a structure that various US internet businesses use in Europe to mitigate potential exposure to multiple EU data protection regimes, i.e. appointing a single European subsidiary to assume controllership of European users' personal data, while other European subsidiaries provide supporting services in the areas of marketing and distribution. However, the decision also shows that the setup of a European structure must be carefully shaped as the court put specific emphasis on the "stable arrangements" and the personnel and infrastructural configuration of the establishment. This makes clear that "letterbox offices" will not be accepted, and that only a legal setup that reflects the reality of the business may qualify as an establishment under the Directive.
As a further important point to note, the court also held that EU data protection law does not require the IT infrastructure to be located on European soil. In this regard, it must be noted that Directive 95/46/EC potentially allows for an opposing interpretation; and it should be closely monitored whether the position of the Administrative Court of Schleswig-Holstein finds support in potential appellate proceedings.