The European Commission’s new proposed regulation: From “equipment/means” to “directed to” criterion
By Fabio Di Resta
In a globalised world where every place is interconnected via the Internet and new technologies, companies—both big multinationals and SMEs—are operating more and more in different jurisdictions. Particularly, in the Internet environment, companies provide services and products remotely and they collect data that they can easily share among an undetermined group of enterprises. These are widespread activities in the Information Society that can raise problems if not carried out lawfully.
New Regulation and Harmonisation
In order to ensure legal certainty for controllers, individuals and stakeholders, the EU legislative body is trying to address applicability and jurisdictional issues. The European Commission will publish its new proposed data protection framework on Wednesday, January 25. According to an official draft (version no. 56, 29 November 2011) of the new regulation released late last year for inter-service consultation, one of the main objectives of this document is to fulfill the ambitious harmonisation of the data protection laws of EU Member States. This is particularly relevant for multinationals, who struggle with the lack of sufficient harmonisation, which creates legal uncertainties and barriers to free movements of data in Europe.
External scope of the EU data protection law
In more detail, the following example of a common electronic transaction shows the main challenges that faced in protecting personal data in the EU:
A buyer resides in Europe, while the vendor’s place of business is outside of the EU. In this case, many privacy experts say that the rules and conditions under which the buyer controls his own personal data should be applied; these rules should come from the country in which the buyer (data subject) resides rather than those in which the place of business of the operator of electronic commerce is located (data controller).
The simple above-mentioned case illustrates one of the most crucial issues of the EU data protection law and the ongoing debate on the review of EU data protection law framework. On this subject, the provisions on applicable law provide a set of rules to determine the external scope of EU law, this means that provisions determine the extent to which the EU data protection law is applicable to data processing that has taken place wholly or partially outside the EU or European Economic Area (EEA) (Iceland, Liechtenstein and Norway).
The “Equipment/Means” Criterion
Regarding European data protection law applied outside the EU, there is a clear principle stated in the 95/46/CE Directive that will be revised. The article 4 (1) c provides that the national law of Member States is applicable when the data controller is not established in the EU/EEA but for purposes of data processing that “makes use of equipment, automated or otherwise, situated on the territory of the said Member States.” The principle expressed here is called “equipment/means” criterion, and it is rather relevant in network environments such as cloud computing and for multinational companies. It should be considered that the scope of protection of a person residing in the EU cannot be reduced only to a national or resident in EU, taking into account that the right to protection of personal data is a fundamental right that can be infringed even by data processing wholly or partially operated outside of the EU. On the other hand, there should be a mitigation of the application the “equipment/means” criterion, otherwise there could be a serious risk to apply EU law to data processing thta does not have any real connection with EU/EEA.
For this reason, this principle is combined with a complementary criterion which takes into account the relevant targeting of the data processing to individuals. This is a criterion that is widespread in different jurisdictions: the EU regulation on jurisdiction and recognition and enforcement of judgments of civil and commercial matters; the United States’ legislation on the protection of children online (COPPA), and some national laws transposing the Directive 2000/31/EC on electronic commerce. In these cases, national law applies respectively when individuals, children or purchasers are targeted by the data processing.
Case 1: Geo-Location Services
For the sake of clarity, two cases in which the criteria apply should be considered. These examples were analysed in the Opinion 8/2010 on the applicable law adopted on 16 December 2010 by the Article 29 Data Protection Working Party. The first case refers to geo-location services. A company located in New Zealand used cars globally, including in EU Member States, to collect information on Wi-Fi access points (which also includes private terminal equipment of individuals). In this case, the cars collecting Wi-Fi information along the streets were considered as data processing “equipment.” Moreover, the company provided a geo‑location service to individuals processing data through dedicated software installed in the individuals’ devices. In this case data protection law applies to the data controller located in New Zealand because of the presence of the “equipment” (cars and devices).
Case 2: Cloud computing
The other case refers to cloud computing. In this IT model, personal data are usually processed and stored on servers in several places around the world. The exact place where the data are stored is not always known, and it can change over the time. In order to trigger the applicability of EU law, the relevant information includes the context of activity within the EU (principle of establishment) and the location of the equipment.
The first step is to identify the data controller and its activities. In this context, the user of the cloud service could be a data controller. A company uses an agenda service online: if the company uses the agenda in the context of activity of its establishment in the EU, the EU law will be applicable. However, the cloud provider could also be under some circumstances a data controller. This is the case when it provides for an agenda online where private parties can upload all their personal appointments and contacts. Even if the cloud provider is located outside the EU, it uses means in the EU, thus there is a “use of equipment” that means EU law will be applicable. In order to further explain when EU law is applicable, it is important to note that the directive does not apply when means are used for transit purpose only, but it will again be applicable if the service uses calculating facilities, runs java scripts or installs cookies for the purpose of storing and retrieving personal data of the user. A further consequence of the application the EU law is the appointment of a representative established in the EU, in such a way the controller can eventually be responsible under the EU law.
To sum up, the use of the “equipment/means” criterion must always take into account all relevant elements, otherwise there could be a real risk of the absence of connecting factors with the territory.
The New Perspective in the Regulation Proposal: “Directed To” Criterion
The criteria analysed above could be amended by the European Commission’s recent proposal of regulation. The article 2 (2) provides that “the regulation applies to the processing of personal data of data subjects residing in the Union not carried out in the context of the activities of an establishment of a controller in the Union, where the processing activities are directed to such data subject, or serve to monitor the behavior of such data subject.” The Article 2 (5) d states the regulation does not apply to the data processing when operated “by a person without any gainful interest in the course of its own exclusively personal or household activity, unless personal data of other natural persons is made accessible to an indefinite number of individuals.”
The article 2 (2) eliminates the “equipment/means” criterion to be substituted only by the relevant targeting of the data subject (nationals and residents), this entails that it is sufficient to direct an online service to a European resident to make the controller subject to the EU Law. The recital 15 of regulation proposal specifies that the overall activity of which the data controller was envisaging processing the personal data of the data subject should be taken into account, considering in particular the international nature of the activities or use of the language or currency other than the language or currency generally used in controller’s country of establishment or the use of top-level domain name. In the last part of the recital there is an interesting statement: “The mere accessibility of the controller’s website by a data subject residing in EU is insufficient.” This last provision should bring to the exclusion of “necessary” cookies as a valid ground to claim the EU law application.
Furthermore, it should be considered that any economic operator who targets to an EU data subject (i.e. operator of electronic commerce) will be obliged to appoint a representative established in the EU, leading to a further economic burden to do business in EU territory. This should bring an exemption for SMEs, who cannot afford this burden. Without this exemption, there could be several negative consequences. For example, the representative appointment could be an economic barrier, which strongly restricts the choice of EU consumers who will not be able to purchase online products and services coming from outside of the EU.
With respect to article 2 (5) d, this provision could imply that an individual who posts the personal data of others in a social network or on the Internet could be subject to the EU law.
The choice of the European Commission to enhance the threshold to trigger the application of EU law outside the EU does not seem appropriate to address the future challenges of Internet and could use some amendment. On the other hand, the lack of stronger law enforcement and thus the effectiveness of data protection provisions seems to be the real priority in the international context. Lastly, it should be regarded that the “directed to” criterion pushed towards an exterritorial jurisdiction of the EU law. The worry is that this legal criterion will be considered a mere theoretic principle by Extra EU/EEA countries without further international legal agreements and strong international cooperation at the EU level.
Fabio Di Resta is an attorney at the Di Resta Law Firm, where he specialises in data protection and IP law.