Steve Peers

The EU’s 1995 data protection rules, laid out in a Directive, are undergoing a major transformation. The Commission has proposed a new Regulation, sparking discussions since early 2012. While negotiations continue, June saw a significant step forward: the Council (composed of EU Member States’ justice ministers) agreed on its stance regarding the proposal’s application outside the EU. This agreement, though partial, provides valuable insight into the negotiation’s trajectory.

It also presents a timely opportunity to examine how this evolving legislation might affect the application of the controversial Google Spain judgment.

The Council’s Partial Agreement

The Council’s agreement, while focused on how the new rules will apply beyond the EU’s borders, carries significant weight given the increasing global reach of internet and social media platforms. These rules have the potential to apply worldwide.

To grasp the agreement’s implications, we need to examine four key elements: (a) the existing 1995 Directive and its interpretation by the Court of Justice of the European Union (CJEU); (b) the 2012 proposal; (c) the Council’s position; and (d) the European Parliament’s (EP) position.

We will analyze two aspects within each element: (1) When do the standard EU data protection rules apply, even if the company handling data is outside the EU? (2) When do the specific rules on data transfers outside the EU come into play?

The Existing Rules

Currently, Article 4 of the 1995 Directive states that the standard rules apply to any data controller based within an EU Member State. The CJEU’s interpretation in the Google Spain case clarified that this applies when a non-EU company has a subsidiary in an EU Member State, and that subsidiary’s actions are tied to the parent company’s business model. Furthermore, if a data controller operates in multiple Member States, they must comply with each State’s national laws.

Moreover, the 1995 Directive’s standard rules apply when a Member State’s national law applies under international law or when a data controller, while based outside the EU, uses equipment located within an EU Member State. This is relevant, for example, to the use of ‘cookies’ stored on computers within the EU, potentially falling under the scope of ‘using equipment’.

Regarding external data transfers, the current rules (Article 25) dictate that data can only be transferred if the recipient country ensures an ‘adequate level of protection’. The Commission holds the authority to determine whether or not such protection exists. However, Article 26 allows Member States, unless prohibited by national law, to permit external transfers if: the individual provides unambiguous consent; the transfer is necessary for fulfilling a contract with the data controller or for pre-contractual steps requested by the individual; the transfer is essential for a contract benefiting the individual as a third party; the transfer is legally mandated or crucial for public interest or legal claims; the transfer is vital for the individual’s well-being; or the transfer originates from a publicly accessible register.

A Member State can permit a transfer to a country lacking adequate protection if the data controller can guarantee sufficient safeguards, often through contractual clauses. The Commission can designate specific standard contractual clauses as providing such protection.

The 2012 Proposal

The 2012 proposal (Article 3) expands the reach of the new Regulation. It applies if: a data controller or processor is established in the EU; the data controller, though outside the EU, offers goods or services to, or monitors the behavior of, EU residents; or a Member State’s national law applies under international law. The ‘use of equipment’ provision is omitted.

Concerning external transfers, the proposal retains the current framework but adds further detail. It outlines factors for the Commission to consider when evaluating a third country’s adequacy, including legal remedies and supervisory authorities. Decisions made under the 1995 Directive regarding adequacy would remain valid.

External transfers would be allowed under binding corporate rules, standard contractual rules (adopted by the Commission or national authority), or individually negotiated contracts authorized by a national authority. Otherwise, transfers would need approval from a supervisory authority. Existing authorizations would remain effective.

A new provision details the contents of unilaterally adopted binding corporate rules, requiring approval by a supervisory authority.

Additional derogations, unlike the current mandatory ones, would be optional. The proposal clarifies that consent requires informing the individual of potential risks, and transfers in their interest are permitted only if they cannot provide consent. A new ground for transfer emerges, based on the legitimate interest of the data controller or processor, subject to safeguards. National or EU law would further define ‘public interest’ as justification for transfers.

The Council’s Position

The Council proposes amending the Commission’s proposal by clarifying that the standard rules apply regardless of payment for goods or services. However, the rules concerning monitoring behavior would only apply to behavior within the EU.

For external transfers, the Council suggests adding details to the assessment of third-country adequacy, including their participation in data protection treaties. It also proposes an advisory role for the envisioned European Data Protection Board in this process. The Council aims to empower the Commission to monitor and revoke its adequacy decisions, but remove its power to declare a country’s protection inadequate.

The Council would also allow external transfers based on codes of conduct or certification mechanisms. Transfers in the private interest of data controllers or processors would be subject to potential overrides in favor of the individual’s interest. Member States would gain more power in defining ‘public interest’ for transfers, a power previously held by the Commission.

The EP’s Position

The EP proposes that, if the data controller or processor is within the EU, the data processing location is irrelevant. It wants to apply the standard rules to both data controllers and processors offering goods and services or monitoring individuals, regardless of payment. Unlike the Council, the EP wouldn’t restrict the monitoring clause to EU-based behavior, but would apply it to any form of monitoring.

Regarding external transfers, the EP agrees with the Council on the Commission monitoring its adequacy decisions and the new Board’s involvement. However, the EP wants to implement a ‘sunset clause’ on existing adequacy decisions and retain the Commission’s power to declare countries’ protection inadequate.

Similarly, the EP proposes that existing authorizations for contractual clauses expire soon after the new rules are enacted, though it supports the Council’s suggestion of a certification process for justifying external transfers. For binding corporate rules, the EP wants to ensure worker consultation when their data is involved and apply the rules to subcontractors, an issue the Council addresses by referring to groups of companies. The EP rejects the notion of transfers based on controllers’ legitimate interests.

Finally, the EP introduces a ‘Snowden clause’, prohibiting national courts from recognizing non-EU court orders for personal data disclosure, but with exceptions for mutual assistance treaties and international agreements between the EU/Member States and non-EU countries.

Observations

Firstly, the impact of the recent EP election on its position needs to be addressed. In the EU system, legislative proposals persist through elections and Commission changes. The new EP typically votes to reaffirm previous positions. Given the overwhelming support for the EP’s stance on the data protection Regulation, securing a majority to reaffirm its position is expected.

The incoming Commission will decide on withdrawing pending proposals, but rarely those actively under discussion, such as the data protection proposal.

Moving to the core issues, all three institutions agree on retaining the ’establishment’ rule, extending it to data processors. The EP’s clarification regarding data processing location might be redundant.

The ‘use of equipment’ clause will be removed, while the public international law clause and the new goods and services/monitoring clause will be retained. All three bodies agree that payment is irrelevant for the ‘goods and services’ clause. However, differences remain on applying the new clause to data processors and the scope of ‘monitoring behavior’.

Concerning external transfers, the existing structure remains, with disagreements on the ‘Snowden clause’ (weakened by exceptions for international treaties), the Commission’s authority to issue ‘inadequacy’ decisions (never used before), sunset clauses, justifying transfers based on private interests, and the process for determining ‘public interest’ justifications.

The new rules’ impact hinges on the interpretation of the current rules. The ’establishment’ clause will likely be interpreted as in Google Spain, applying when a subsidiary’s work aligns with the parent company’s business model. Lack of case law on the ‘use of equipment’ makes its removal’s impact unclear.

Focus will shift to the meaning of ‘offering goods or services’ and ‘monitoring’. The preamble offers clarification: the former applies when a website targets EU citizens for sales (indicated by language and currency used), excluding entities like Wikipedia or free social networks/search engines (though some might fall under the ’establishment’ rule).

‘Monitoring’ applies when internet activity is tracked for profiling, according to the preamble. It doesn’t explicitly address social media usage records, which needs clarification. The Council’s limitation of monitoring to EU-based behavior seems impractical given the internet’s nature.

The relevance of external transfer clauses depends on the standard clauses’ scope. Wider application of standard rules diminishes the external transfer rules’ significance, and vice versa.

The external transfer clauses will likely resemble the existing ones, requiring minimal adjustments to corporate and NGO strategies. The EP’s ‘Snowden clause’ and rejection of transfers based on data controllers’ interests may pose challenges, though the former is weak, and controllers can often achieve their goals through consent or contracts.

Negotiating the new rules still faces significant hurdles. Defining territorial scope before the main substance is unusual.

While many issues require resolution, those impacting the Google Spain decision’s consequences, especially on social networks and Wikipedia, are particularly noteworthy: defining ‘data processor’ (crucial if the EP’s stance on its scope prevails); the ‘household exception’ for user-generated content; the journalism exception; and defining grounds for data processing (consent and controller’s legitimate interests).

Barnard & Peers: chapter 9