Information Security and Data Protection Newsletter - July/August 2016
Herewith, your back to school edition of our data protection alerter. We start back in June with the EU referendum result; which has given the GDPR an uncertain future…
Published 1 September 2016
There have been a number of recent cases on the way both European law and law in other jurisdictions deal with the questions of applicable law to data protection disputes.
In a judgment of the 2nd US Circuit Court of Appeals in New York in Microsoft Corporation v USA (Case 14-2985), Microsoft won the right to refuse to comply with a warrant for disclosure of a customer's email account on the basis the contents of the email account were in the Dublin. The US law under which the warrant was made was ruled to not have extraterritorial effect. Interestingly, the data was held in Dublin but was accessible by employees in the US. However, the ability to access the Dublin server from the US, was not enough to bring it within the US jurisdiction. For further details of the case see the last story in the international section: "Decision prevents US from accessing emails stored in Ireland".
Meanwhile over in Europe, in Case C-191/15, Verein für Konsumenteninformation v Amazon EU Sàrl the CJEU had to consider the way the EC Data Protection Directive deals with questions of the applicable law to data protection disputes. The case concerned Amazon’s sales to Austrian customers. Amazon is a Luxembourg established company with no office in Austria and whose terms and conditions say that Luxembourg law applies. An Austrian consumer protection watchdog raised numerous issues over these terms and conditions on behalf of Austrian consumers including which law was applicable to data protection issues arising out of a transaction covered by those terms and conditions.
The AG published his opinion on this earlier in July, which concluded that a data controller should only be subject to the jurisdiction of one data protection law in Europe even if the data were being processed by that data controller in a number of Member States.
The CJEU has now ruled in a more opaque manner. Following the wording of the Directive, it ruled that the correct law to apply is the law where the data controller it "established". The ruling noted that just because Amazon does not have a subsidiary or branch in Austria does not mean Amazon might not be established in Austria but, merely having a website accessible to Austrians was not enough to show establishment. The CJEU also noted that the processing need not be “by” the establishment itself, so long as it is in the context of the activities of the establishment.
The question to consider is whether Amazon carries out the data processing in question in the context of the activities of an establishment situated in Austria. The question was referred back to the Austrian court for consideration.
To see the Amazon judgment click here.
To see the Microsoft judgment click here.