A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 1 September 2016
There have been a number of recent cases on the way both European law and law in other jurisdictions deal with the questions of applicable law to data protection disputes.
In a judgment of the 2nd US Circuit Court of Appeals in New York in Microsoft Corporation v USA (Case 14-2985), Microsoft won the right to refuse to comply with a warrant for disclosure of a customer's email account on the basis the contents of the email account were in the Dublin. The US law under which the warrant was made was ruled to not have extraterritorial effect. Interestingly, the data was held in Dublin but was accessible by employees in the US. However, the ability to access the Dublin server from the US, was not enough to bring it within the US jurisdiction. For further details of the case see the last story in the international section: "Decision prevents US from accessing emails stored in Ireland".
Meanwhile over in Europe, in Case C-191/15, Verein für Konsumenteninformation v Amazon EU Sàrl the CJEU had to consider the way the EC Data Protection Directive deals with questions of the applicable law to data protection disputes. The case concerned Amazon’s sales to Austrian customers. Amazon is a Luxembourg established company with no office in Austria and whose terms and conditions say that Luxembourg law applies. An Austrian consumer protection watchdog raised numerous issues over these terms and conditions on behalf of Austrian consumers including which law was applicable to data protection issues arising out of a transaction covered by those terms and conditions.
The AG published his opinion on this earlier in July, which concluded that a data controller should only be subject to the jurisdiction of one data protection law in Europe even if the data were being processed by that data controller in a number of Member States.
The CJEU has now ruled in a more opaque manner. Following the wording of the Directive, it ruled that the correct law to apply is the law where the data controller it "established". The ruling noted that just because Amazon does not have a subsidiary or branch in Austria does not mean Amazon might not be established in Austria but, merely having a website accessible to Austrians was not enough to show establishment. The CJEU also noted that the processing need not be “by” the establishment itself, so long as it is in the context of the activities of the establishment.
The question to consider is whether Amazon carries out the data processing in question in the context of the activities of an establishment situated in Austria. The question was referred back to the Austrian court for consideration.
To see the Amazon judgment click here.
To see the Microsoft judgment click here.
London - Walbrook
+44 (0)20 7894 6577
Shehana Cameron Perera, Lorraine Ekong, Jade Kowalski, Rhiannon Webster, Ceri Fuller, Khurram Shamsee, Christopher Air, Sophie Devlin
Aleksandar Dimitrov, Neal Pal
Rhiannon Webster, Charlie Christie
Hans Allnutt, Mark Anderson, Gregory Bautista, Anjali Das, Kieran Doyle, Bastian Finkel
Hans Allnutt, Rhiannon Webster
Hans Allnutt, Patrick Hill, Laura Stewart, Lorraine Ekong
Lorraine Ekong, Hans Allnutt
Hans Allnutt, Camilla Elliot
Hans Allnutt, Patrick Hill
Hans Allnutt, Rhiannon Webster, Patrick Hill