Locations
This article was first published in Data Protection Law & Policy in February 2011
Possibly the most commonly asked privacy-related question by any organisation looking to expand into Europe is whether EU data protection law applies to it. That is in fact a question that the creators of the original EU data protection directive considered very carefully and tried to address in the black letter of the law to avoid uncertainties. However, as a result of the tension between the two parallel objectives of the directive - to protect the fundamental rights and freedoms of individuals, and to facilitate the free flow of personal data between Member States - the rules that determine the applicability of EU data protection law are far from clear cut. Fortunately, European regulators are well aware of this and even they scratch their heads when trying to reconcile the words of the applicability of the law criteria with their supervisory duties.
The complexity behind the provisions in the directive that determine when EU law applies stems from the fact that legislators tried their best to ensure that, on the one hand, individuals did not find themselves unprotected whilst, on the other hand, the same activity was not governed by the laws of more than one EU country. The result of this two-fold aim was a finicky rule that sort of worked in an analogue world but generates many non-sensical situations in today's digital world. One thing is for sure: the application of the law is not limited to the territory of the European Union as both the processing of personal information outside the EU and organisations with no physical presence in the EU may be caught.
The starting point of the applicability criteria is the place of establishment of the organisation making decisions about the use of the data. If that organisation is established in an EU Member State and the data processing takes place in the context of the activities of the organisation, then EU law will most definitely apply. Simple. But even this plain rule has its quirks because what counts as being established in the EU is subject to different interpretations.
The Article 29 Working Party, in its formal Opinion on applicable law, provides examples of an establishment that range from truly stable arrangements - like having a permanent office - to much more ambiguous situations - like appointing an agent. Clearly, the level of stability between these two cases is not comparable and to apply the law of the country where a company has its headquarters with the same rigour as the law of the country where the same company has a humble sales representative does not sound quite right.
But what really creates uncertainty for international organisations is the applicability rule that relies on the use of EU-based equipment by those who do not have any other physical presence in the EU. According to this rule, a business operating anywhere in the world (but with no establishment in the EU) will be subject to EU law if it makes use of equipment located in the EU to process personal information. So what counts as "equipment" then? Here is where technical jargon meets national linguistic differences and the whole thing becomes a real mess. A data centre with racks of servers will surely qualify as equipment. But what about a mobile phone, a GPS watch or an iPod Nano? Any of these items can generate buckets of valuable personal information but their size alone turns their location into a trivial consideration. But even if size does not matter, how strong should the connection be between the use of equipment and the processing of data?
European regulators still maintain that collecting cookie data from an EU-based device triggers the application of EU data protection laws. Their rationale for this is that Europeans’ data is being collected en masse via cookies and this deserves the protection afforded by EU law. A very commendable aim which seems to ignore the fact that since pretty much every website on the planet uses cookies, all such websites are suddenly subject to the laws of all 27 member states. And if that is an odd result, what about the application of EU law to a non-EU organisation which happens to engage an EU-based data service provider? The fact that the controller is outside the EU turns the processing into an international data transfer that should then be legitimised by that controller warranting to itself that it will look after the data. Madness.
Where does this leave us? From a practical point of view, it is definitely advisable that an overseas organisation that is serious about doing business in Europe establishes a physical presence in the EU by means of an entity situated in a member state and makes that entity responsible for any data decisions. That way, at least suitable efforts can be devoted to managing data protection compliance in accordance with the laws of that country rather than to managing the risk of being subject to disparate national legal regimes. Looking at the future, organisations should prepare to pay attention to the laws of the jurisdictions where they target individuals, as this principle is quite likely to make it into the new data protection framework. In the meantime, it would just be helpful if legal harmonisation actually happened.