Posted in Technology and Commercial Telecoms Uncategorized

UK – Proposals to Reform the Electronic Communications Code

By Rob Shaw, Senior Associate and Ben Rogers, Legal Director – DLA Piper

Proposals for reform of the Code have gathered pace recently; on Tuesday the Department of Culture, Media and Sport released the Government’s proposals to reform the Code and yesterday it was announced that the new Code will be part of the Digital Economy Bill (as announced in the Queen’s Speech).


The Code was originally enacted in the Telecommunications Act 1984 to allow for the placing of landline telephone equipment on land. The Code was extended by the Communications Act 2003, recognising that regulation of all electronic communications, not just telephony, was crucial. Since then, we have seen dramatic change in the telecommunications sector with ever increasing demand for services and the development of new technology.

The existing Code has been widely criticised by telecommunications operators and landowners for being outdated and lacking clarity. The issues with the existing Code are well known to us from our experience of acting for Hibernia Networks, a major multinational telecoms operator, on the installation of their UK network. The proposed new Code aims to address the criticisms of the existing Code and prepare for future developments in technology.

The proposed new Code incorporates new rights for operators to help promote greater long term investment in digital infrastructure. The intention is that the new Code will be implemented through primary legislation (the Digital Economy Bill) as soon as possible.

Key Code proposals:

1. Valuation of land – A new basis for valuation of land to limit rents and to reflect the underlying value of land. The aim is to reduce rents and premiums to encourage greater investment and improve network coverage. The Government is clear that landowners should receive a fair value for use of their land, but that this should not include a share of the economic value created by high public demand for services provided by the operator. In order for this to be a smooth transition operators will need to work closely with landowners.
2. New rights to upgrade and share apparatus – The existing Code does not provide for any automatic power to enable the operator to share or upgrade its apparatus. The new Code, however, will permit operators to share or upgrade apparatus without any prior agreement of the landowner provided that there is minimal adverse visual impact caused by the apparatus. The intention is that this will allow operators to make more effective use of sites, thus reducing their infrastructure footprint and costs without impairing network provision.
3. Dispute resolution – To resolve disputes between landowners and operators as effectively and efficiently as possible, the dispute resolution procedure of the existing Code will be moved from the ordinary court system to specialist tribunals.
4. No contracting out of the Code – It will now no longer be possible for parties to exclude themselves from some or all of the provisions of the Code through commercial agreements as it is the Government’s view that this undermines the effectiveness of the Code.
5. Registration of Code rights – Code rights will continue to be binding on successors in title without such rights falling within the ambit of the land registration rules. The Government deems that the current arrangements in this area are sufficient and do not need to be reformed.
6. New Code will not apply retrospectively – The new Code will only apply to new agreements – it will not apply retrospectively to existing agreements as, in the Government’s view, this could give rise to disruption and uncertainty.

Whether or not the Government’s proposals make it onto the statute books remains to be seen (those with knowledge of the history of proposed reforms to the Code won’t be holding their breath!). We can envisage that some of the proposed reforms will not go down well with landowners, especially those who see rents reducing having made sites available to operators. The government’s stated goal of reforming the Code to help develop the UK communications network may, in practice, have the opposite effect as landowners adopt a more cautious approach to opening up sites to operators.

DLA Piper will monitor all further developments in respect of the proposed new Code and provide regular briefings on the progress of this proposed new legislation.

Posted in Asia Privacy Health Privacy Mobile Privacy Privacy and Data Security

Written by Scott Thiel, Julia Gorham, Anita Lam and Nicholas Boyle

Wearable devices’ – such as fitness trackers, wristbands, access cards – are an increasingly popular technology. Market researchers have estimated that some 21 million wearable devices were sold in 2014 (The Economist,14 March 2015, citing research by IDC).

In the US, approximately 90% of companies now operate “wellness programmes” for their staff which include competitions and team building to improve fitness and increasingly use wearable technology to record results. Estimates are that by 2018, more than 13 million activity trackers will be used for wellness programmes. The technology and its uses does not stop there. In addition to the more well-known fitness trackers, companies are also exploring the use of technology within corporate access cards, smart watches and specific health-related scanners. Some of the marketed features of many of these devices include their ability to record, track and report on individuals’ sleep, exercise activity, stress, heart rate and other health-related metrics, as well as the geo-location of the wearer and time of day and even biometric data in some cases (DNA, finger prints etc).

Employers are increasingly looking at leveraging wearable technology to enable them to monitor employees’ activities so that they can drive positive change via improved productivity for example as well as employee well-being. These drivers may also reduce costs and waste associated with injuries and illness and arguably lower insurance costs for businesses. Health and Safety is another area where wearable technologies can assist and is likely to become commonplace – for example use with pilots and transport drivers, construction sites or other workplaces that include high levels of manual labour, for example.

In considering whether and how to use wearable technologies with their employees, organisations must have regard to the requirements of the applicable data privacy rules and employment laws dealing with employees’ rights and consent, as well as potentially broader concepts of right to a private life in some jurisdictions. These legal and governance issues impact the design and implementation of any wearable technology rollout or specific corporate wellness / fitness tracking programme:

‘Managing the employment relationship’ and notification of the purposes of collection, use and disclosure 

From a data privacy perspective, whether or not employers will require consent to collect, use or disclose their employees’ personal data will depend on the local data privacy regime and the nature of the personal data. In some jurisdictions, employers do not require employee’s consent where the collection, use or disclosure of employees’ personal data is reasonable for the purpose of managing the employment relationship, although it may be necessary to notify employees of the purposes for which personal data will be collected, used and disclosed in connection with the management of the employment relationship. Some commentators argue that monitoring and managing employees’ performance, health and well-being at work falls within the scope of ‘managing the employment relationship’.

However, given the intrusive nature of wearable technology and the fact that it usually continues to be collected outside of working hours or where biometric data is being collected, more stringent requirements are likely to be applied and so best practice is for employers to obtain consent for the collection, use and disclosure of personal data via wearables, particularly where the company provides the device to the employee under a leasing arrangement or similar. The employee consent and notices about how employees’ personal data will be collected, used and disclosed should be set out in a specific policy or contract. Personal data such as sleep, biometric data and non-work activity history may amount to sensitive personal data in some jurisdictions, such that additional legal hurdles must be satisfied in notifying employees the purposes for which the data is being used and how it will be treated.

Employers should therefore notify employees and seek their consent to participate in any wearable technologies or corporate wellness / fitness tracking programme of: (a) what personal data will be collected, used and disclosed; and (b) the purposes for which, and how, the employees’ personal data will be collected, used and disclosed. Importantly, since fitness trackers are intended to be worn 24/7 and track activities that occur outside of work hours (eg, hours of sleep), the notice given to employees should note that the personal data collected, used and disclosed by the fitness tracker may include information that relates to employees’ activities outside of work hours.

Other issues to consider include whether employees can be mandated to participate in the use of wearable technology or wellness programmes. From the employment law perspective the answer is likely to be ‘no’, at least until the market moves on sufficiently that such use is deemed normal or standard practice. It is also likely that employers that seek to use information not related to work operations (or collected outside of business hours as outlined above) would face disputes form employees disciplined on the basis of such data.

It is also potentially arguable that a company does not own all of the data collected on such devices, unless the devices is leased to the employee – in the same way as a corporate mobile phone. this should be clarified in any operation policies.

Obligations to protect data and offshore data transfers

In addition, many data protection regimes impose obligations on organisations to take reasonable security arrangements to protect personal data in their possession or under their control in order to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal of that personal data.

The providers of many wearable devices and fitness trackers provide their own cloud-based solutions for collecting, collating and reporting on the data gathered by the devices and may offer organisations the ability to access and analyse their employees’ data through these platforms. These cloud-based solutions may also involve the transfer of personal data to offshore locations for the purposes of storage or processing.

Organisations should ensure that they have contractual arrangements in place with any provider of wearable devices / fitness trackers which, amongst other things, ensure that:

  • the transferred personal data enjoys comparable protection in the jurisdictions to which it is transferred (eg, by imposing obligations on the provider to give the transferred personal data protection which is comparable to that give under the relevant local laws and specifying expressly the countries to which the personal data may be transferred), and
  • the provider is obliged to take measures to protect personal data against accidental, unauthorised or unlawful access, disclosure, alteration, loss etc. and that the personal data of employees will be used only for: (a) the purposes of providing the relevant services to the organisation; and (b) if applicable, by the provider on an anonymised, aggregated basis for specified, agreed purposes (eg, improving and developing their wearable devices / fitness trackers, providing aggregated reporting to customers etc.)

In addition, organisations must have internal governance controls as to who in the organisation can access the data and for what purposes. Best practice is for data to only be available on an aggregated and not on an individual basis. It is easy to see occasions, however, when a business may want to identify which staff were in the office at the time misconduct was committed for example, or to clarify a report of misconduct in a specific location -in such circumstances an organisation will need to have given thought to whether it will access this data and how.

Other legal risks 

Importantly, organisations should also consider whether using wearable technology to monitor their employees’ performance, health and well-being may also give rise to other legal risks or issues under workplace health and safety laws, in negligence or under a contract.

For example, if the information collected from such technology means that an employer knows, or could reasonably know, that an employee has not had much sleep in recent days or was stressed, does that employer have a duty to:

  • the employee
  • members of the public who could be injured, and/or
  • the organisation for whom the employer is undertaking work under a contract,

to ensure that the employee doesn’t operate heavy machinery until their sleep/health/state of mind improves? Would the employer be liable to any of those people if the sleep-deprived employee was to fall asleep while operating the machinery and injure themselves or a member of the public, or damaged other property?

Posted in Privacy and Data Security Security Breaches US State Law

New Data Breach Notification Law in Nebraska

Written by Anne Kierig

An amendment to Nebraska’s data breach notification law, signed by the Governor earlier this month and effective July 20, 2016, makes key changes to the state’s notification regime.  First, the law expands the definition of “personal information” to include “a user name or email address, in combination with a password or security question and answer, that would permit access to an online account.”  Nebraska will be the fifth state, including California, Florida, Nevada, and Wyoming, to require notification in the event of a breach of account credentials.  The law also will require notice to the Nebraska Attorney General no later than the time notice is provided to Nebraska residents affected by a breach.  Finally, the law will exempt encrypted data (defined as data “converted by use of an algorithmic process . . . into a form in which the data is rendered unreadable or unusable without use of a confidential process or key”) from a notification exemption safe harbor “if the confidential process or key was or is reasonably believed to have been acquired as a result of the breach of the security of the system.”  The Nebraska state legislature passed the bill, LB 835, unanimously.

Posted in Cybersecurity Mobile Privacy US Federal Law

FTC Mobile Health Apps Announcement Reinforces Likely Increased Scrutiny of Mobile Health Apps

Written by Peter McLaughlin and Michelle Anderson

The U.S. Federal Trade Commission (FTC) recently announced its creation of a Mobile Health Apps Interactive Tool, a web-based tool designed to help developers of mobile health (mHealth) applications understand which federal laws and regulations they should consider in developing their apps[1]. While the tool is helpful as a starting place for mHealth app developers to recognize basic issues regarding the applicability of select laws and regulations, developers should be cautious about relying exclusively on guidance resulting from the tool[2]. In addition to using the tool, developers should obtain detailed legal guidance regarding:

  1. Complex legal issues under the laws and regulations covered by the tool, such as whether the type of information collected by the app is “identifiable health information”; and
  2. Additional legal and regulatory obligations, such as those under state laws or international laws.

Mobile Health Interactive Tool

The tool guides developers through high-level questions about their app’s functionality, data collection, and services to users. Based on a developer’s responses, the tool provides guidance about which federal laws may apply to the app. The tool’s guidance covers the Health Insurance Portability and Accountability Act (HIPAA), the Federal Food, Drug and Cosmetics Act, the FTC Act, and the FTC’s Health Breach Notification Rule and includes a Glossary with definitions of regulatory terms (e.g., medical device), as well as links to further guidance and other federal agency resources, such as OCR’s Health App Use Scenarios & HIPAA and discussion portal, as well as the FDA’s Mobile Medical Applications Guidance for Industry and Food and Drug Administration Staff.

For example, if a developer says:

  • Question 1: Yes, my app creates, receives, maintains, or transmits identifiable health information;
  • Question 2: No, the developer is not a health care provider or health plan;
  • Question 3: No, the app does not require a prescription to access the app; and
  • Question 4: Yes, the app is being developed on behalf of a HIPAA covered entity then
  • Answer: The tool says that the developer is “likely [] a HIPAA business associate, subject to the HIPAA Security Rule and specific provisions of the HIPAA Privacy and Breach Notification Rules” and provides an overview of the obligations under each of the HIPAA Rules. In this scenario, the tool also directs the developer to Question 5 to see if the FD&C Act also applies.

While the tool is helpful in identifying basic issues it only covers the abovementioned laws and regulations, it does not address complex issues under those laws and regulations. For example, it does not help a developer determine whether the information collected by the app is “identifiable health information.” Similarly, for a developer producing a health app directed toward consumers but with data accessible to healthcare providers, the analysis becomes more complicated. For example, if the app permits a connection with a healthcare professional’s systems, the extent of that connectedness can mean the difference between the application of HIPAA or the FTC’s consumer protection rules – and as recent FTC enforcement in the mHealth app space demonstrates, simply because an app may handle protected health information does not mean that the app is outside the FTC’s jurisdiction.

FTC Mobile Health App Best Practices

In conjunction with the release of the interactive tool, the FTC also released its own guidance, Mobile Health App Developers: FTC Best Practices. This guidance is aimed at helping developers understand their obligations under the FTC Act. For example, it recommends that developers provide “simple, clear, and direct” notice of their app’s privacy and security features, including providing “just in time” notice regarding the collection of sensitive or unexpected data (e.g., geolocation information) and explaining why certain information is being collect (e.g., collecting geolocation information in order to track the distance cycled if the app is a cycling app). The FTC also notes that certain information, such as dietary information or blood pressure readings, may require obtaining a user’s affirmative express consent prior to collecting or sharing the data. This mHealth app developers guidance draws on the FTC’s June 2015 Start with Security: A Guide for Business, which provided practical lessons that all businesses can learn from the FTC’s data security settlements under the FTC Act.

Increased Regulatory Activity Likely

It remains to be seen whether the FTC’s release of this tool and guidance is simply to provide resources to mHealth app developers – or whether the FTC will use this guidance to bring enforcement actions under its unfair and deceptive acts and practices powers. However, the release of this tool and guidance is part of a larger trend of increased regulatory activity within the health data security space, coming on the heels of the appointment of members to the Health Care Industry Cybersecurity Task Force, as required under the Cybersecurity Information Sharing Act of 2015; updated OCR audit protocols for HIPAA Phase 2 audits; and the release of OCR’s HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework.

[1] The tool was designed in collaboration with the U.S. Department of Health and Human Services (HHS), including the Office of the National Coordinator for Health Information Technology (ONC), the Office for Civil Rights (OCR), and the Food and Drug Administration (FDA).

[2] The FTC even included the following disclaimer on the tool’s website: “It’s not meant to be legal advice about all of your compliance obligations, but it will give you a snapshot of a few important laws and regulations from three federal agencies.”

Posted in EU Data Protection International Privacy

Data Protection Working Party Announces decision to reject EU-US Privacy Shield

Written by Sydney White

On April 13, the Article 29 Data Protection Working Party announced a decision to reject the EU-US Privacy Shield agreement as drafted and requested changes based upon the following concerns, on which we provide some initial analysis.

  • The Privacy Shield lacks clarity due to its format (the European Commission adequacy decision and the numerous annexes make it difficult to navigate). It also contains some inconsistencies.
  • The Privacy Shield will need to be revisited after the General Data Protection Regulation comes into effect in 2018, most likely to further strengthen protections. This would be a major change in the text of the agreement.
  • Commercial aspects of European law are not adequately reflected in the Privacy Shield including the protections of the purpose limitation, data retention, individual decisions on automatic data processing. This too would be a major change.
  • Onward transfers from Privacy Shield entities will not be subject to consistent protections including on national security. As applied to transfers outside the US, this is not a major change in current EU standards.
  • There should be clarification of the new recourse procedures available to European citizens including a possible role for EU data protection authorities. If limited to funneling complaints to the FTC, this would not be a major change.
  • The Ombudsman established under the US State Department is not sufficiently independent and will not have adequate to authority to effectuate remedies. This could be addressed potentially by the Ombudsman in the FTC.

Significantly, the Statement emphasized that representations from the US Office of the Director of National Intelligence are inadequate with respect to “massive and indiscriminate surveillance of individuals” and consequently the Working Party will be looking to upcoming rulings by the EU Court of Justice on surveillance cases.

Although the Article 29 Working Party plays only an advisory role to the European Commission, we expect that the more specific recommendations in particular will be incorporated into the framework prior to final approval by EU authorities. Given European Summer holidays, this may not happen until September.

Posted in EU Data Protection International Privacy

EUROPE – US: EU Data Protection Authorities voice strong concerns about Privacy Shield

EU Data Protection Authorities demand improvements before EU – US transfer mechanism will be approved.

The Article 29 Working Party (“WP29“), which comprises the national data protection authorities of the EU member states, issued a statement on Wednesday strongly criticizing the draft “EU – US Privacy Shield” proposal. Privacy Shield is intended to be the replacement to the defunct Safe Harbor scheme, which allowed EU companies to legally export personal data to the US.

Whilst WP29 accepts that, in its current form, Privacy Shield represents a significant improvement over Safe Harbor, it believes it does not go far enough in offering EU citizens an adequate level of protection for their personal information. Crucially, WP29 considers that Privacy Shield does not sufficiently address the massive and indiscriminate collection of personal data by the US authorities which was the precipitating factor in the Schrems case which brought down Safe Harbor.

In summary, the specific criticisms voiced by WP29 are:

  • Lack of clarity – Privacy Shield is comprised of various documents and annexes, making information hard to find and at times inconsistent;
  • Lack of key data protection principles – some of the central principles of European data protection law, such as purpose limitation and data retention, are not sufficiently covered by the proposal;
  • Onward transfers – the proposal does not ensure that the same standards are applied by third country recipients who receive EU personal data from a Privacy Shield entity;
  • Complex redress mechanism – EU citizens may not be able to effectively defend their rights in the face of a complex recourse mechanism which for many will be in a different language;
  • Indiscriminate data collection – there is insufficient detail about how the massive and indiscriminate surveillance of individuals by US authorities will be curtailed. In WP29’s view, such surveillance can never be considered proportionate or necessary;
  • Ombudsperson not independent – WP29 welcomes the creation of an Ombudsperson role to handle and solve complaints raised by EU citizens. However, it is concerned that this role will not be sufficiently independent from US authorities.

The statement also concluded that, even if Privacy Shield is approved as an adequate mechanism for data transfers under current legislation, a review of its efficacy will be needed following the entry into application of the General Data Protection Regulation (“GDPR“) in 2018. This appears to be a strong hint from WP29 that in its current form, Privacy Shield would almost certainly not be GDPR compliant.

As the Privacy Shield proposal is still being finalized, WP29’s assessment is not fatal. However, it is a clear signal to the EU Commission and to their partners in the US that significant improvements are needed if the scheme is to earn the adequacy decision which will make it a legal mechanism for data transfers.In the meantime, WP29 has repeatedly stated that Binding Corporate Rules and the EC standard contractual clauses (or ‘model clauses’) can be relied upon for data transfers, and represent a safe alternative for former Safe Harbor companies. Although both of these schemes will be reviewed by WP29 in due course, it will not make any decision about them until after Privacy Shield has been dealt with.

If you need any assistance with the fast evolving area of EU – US data transfers, please contact a member of our global Data Protection, Privacy and Security team.

Posted in Telecoms

The future of spectrum

I attended a seminar on the future of spectrum this morning. I thought there were a few interesting points, with international elements, that would be worth sharing:

1. As consumers use more and more data on their mobile devices lack of capacity is increasingly becoming an issue, even with the benefits of 4G.

2. Spectrum will therefore become, if anything, even more important because using more spectrum increases capacity on a mobile network.

3. The other way to improve capacity is to build a more dense network – ie have more base stations and antennae. This is expensive, but then so is more spectrum!

4. Wifi is also important as a way of moving traffic from mobile to fixed networks.

5. The UK will, by 2020, have made more spectrum available for mobile use than just about any other country.

6. Newer technologies may facilitate dynamic sharing of spectrum between operators’ networks according to demand – though we are quite a few years away from being able to do this in real time.

7. It seems likely that quite a lot more spectrum will be made available worldwide in the medium term (c 5 years) but this will all be very high frequency (24 GHz+) – this means low propagation, so *much* more dense networks will be needed – antennae will need to be located in cities every 100m or so!

8. This means interference between networks will become more of a problem.

9. Site sharing (placing antennae from two networks on the same site) can help with interference problems because each can be planned knowing about the other.

I conclude from all this that (though these weren’t specifically mentioned in the seminar) : (i) When real-time dynamic sharing is possible this will facilitate whole new business models in the telecoms sector – eg a wholesale-only spectrum owner could automatically auction spectrum to the highest bidder in each area continuously, leading to much more efficient use; and (ii) “passive” (or site) sharing will become even more important in future.

We at DLA Piper have already been involved with several network sharing projects, so look forward to more!

Posted in Cybersecurity Internet of Things Privacy and Data Security US Federal Law

NTIA Seeks Comment on IoT Issues

The National Telecommunications and Information Administration (“NTIA”) has sought comment on a broad range of issues related to the advancement and regulation of the Internet of Things (“IoT”), including technological challenges/benefits of IoT, definitional issues, privacy, and cybersecurity related issues, among others. NTIA will use the information to produce a “green paper” in which it intends to identify potential benefits and challenges of the technologies and possible roles of the U.S. government in fostering the advancement of IoT technologies.

Among the broad range of inquiries, NTIA seeks comment on:

  • Novel technological challenges presented by IoT relative to existing technological infrastructure, devices, and policy issues
  • Definitional issues to be used in examining the IoT landscape
  • Do current and planned laws, regulations, and/or policies foster and/or hinder development and deployment of IoT
  • Role of the U.S. government in establishing policies and rules regarding IoT cybersecurity
  • Privacy considerations specific to IoT, how such considerations are different from other privacy considerations, and role of the U.S. government regarding policies, rules, and/or standards with regard to privacy and IoT.

Comments are due by 5:00 PM EST on May 23, 2016.





Posted in EU Data Protection Privacy and Data Security Technology and Commercial Uncategorized

EUROPE: The Applicability Of EU Data Protection Laws To Non-EU Businesses

Written by Carol Umhoefer ( and Caroline Chancé (

This article first appeared in E-Commerce Law and Policy – volume 18 issue 03 (March 2016).

On December 16, 2015, the Article 29 Data Protection Working Party (“WP29″) updated their Opinion 8/2010[1] on applicable law in light of the landmark decision Costeja v. Google[2] rendered by the Court of Justice of the European Union (“ECJ”) on May 13, 2014.

In a context where local data protection authorities are increasingly scrutinizing cross-border data processing operations, companies worldwide need to identify whether and which EU data protection law(s) apply to processing of personal data taking place wholly or partially outside the EU.

Yet the extent of the territorial scope of the Directive has always raised many questions. In 2010, the WP29 concluded in their Opinion 8/2010 that Article 4(1)(a) of the Data Protection Directive 94/46/EC[3] (“Directive”), which provides that a Member State’s data protection law shall apply to data processing “carried out in the context of the activities of an establishment of the controller on the territory of the Member State”, suggests a very broad scope of application.

The exact extent of application remained rather unclear despite the WP29’s guidelines until four years later when the question of whether EU data protection laws should apply to a business based and processing personal data outside the EU came up before the ECJ in the so-called “right to be forgotten” case, Costeja v. Google. In its judgment, the ECJ held that Spanish law applied to the personal data processing performed by the search engine operated by Google Inc., a US-based controller, on the ground that it was “inextricably linked to”, and therefore was carried out “in the context of the activities of” Google Spain, whose advertising and commercial activities constituted the “means of rendering the search engine at issue economically profitable”.

The WP29 have recently updated their 2010 opinion to take into account Costeja. According to the WP29, the implications of the judgment are very broad and should certainly not be limited to the question of determining applicable law in relation to the operation of the Google search engine in Spain. And indeed, Costeja confirms the broad territorial application of Article 4(1)(a) of the Directive that was espoused by the W29 in 2010. In this respect, the WP29 recall that the notion of establishment in itself must be interpreted broadly, in line with recital 19 of the Directive, which provides that the notion of “establishment (…) implies the effective and real exercise of activity through stable arrangements”[4], such as subsidiaries or branches for example. In Costeja, there was no doubt that Google Spain, the Google Inc. subsidiary responsible for promoting in Spain the sale of advertising space generated on the website, fell under that definition. However, it was disputed whether the data processing in question, carried out exclusively by Google Inc. by operation of Google Search without any intervention on the part of Google Spain, was nevertheless carried out “in the context of the activities of” Google Spain.

The ECJ then introduced a new criterion: the “inextricable link” between the activities of a local establishment and the data processing activities of a non-EU data controller. As underlined by the WP29, the key point is that even if the local establishment is not involved in any direct way in the data processing, the activities of that establishment might still trigger the application of EU data protection laws to the non-EU controller, provided there is an “inextricable link” between the two.

What this “inextricable link” might be raises many questions. The WP29, while insisting on the importance of conducting a case-by-case analysis, considers that, depending on the role played by local establishments, non-EU companies offering free services within the EU, which are then financed by making use of the personal data collected from users, could also be subject to EU data protection laws. The same reasoning would apply, for example, to non-EU companies providing services in exchange for membership fees or subscriptions, where individuals may only access the services by subscribing and providing their personal data to the EU establishments.

The WP29 are careful to say that being part of a same group of companies is not in itself sufficient to establish the existence of an “inextricable link”, and that additional factors are necessary, such as promotion and sale of advertising space or revenue-raising, irrespective of whether such proceeds are used to fund the data processing operations in the EU. But because the examples provided by the WP29 are almost solely based on revenue flow as the source of the “inextricable link”, it is difficult to conceive of what type of multinational will not have such an “inextricable link” between the activities of a subsidiary (let alone a branch) in the EU and a parent company outside the EU. The long arm of the Directive is in effect stretched even further.

Will this criterion still be relevant when the General Data Protection Regulation[5] (“GDPR”) applies, likely by July 2018? Certainly, insofar as article 3(1) provides that the GDPR applies “to the processing of personal data in the context of the activities of an establishment of a controller… in the Union”. But the GDPR goes much farther: not only does it consecrate Costeja by specifying that the GDPR applies “regardless of whether the processing takes place in the Union”, it also applies to processing in the context of the activities of an establishment of a processor in the EU, even if the processing occurs outside the EU. Moreover, relying more explicitly on the “effect principle”, article 3(2) of the GDPR further extends the territorial scope of EU data protection law to any data controller based outside the EU that either: (i) offers goods or services to EU residents; or (ii) monitors the behaviour of EU residents.

Another important aspect the WP29 infer from the Costeja decision concerns the applicable law where a business has multiple establishments in the EU, with a designated “EU headquarters”, and this establishment alone carries out the functions of a data controller in relation with the processing operations in question. The WP29 note that, although the Court did not directly address this question, neither did it distinguish its ruling according to whether or not there is an EU establishment acting as a data controller or being otherwise involved in the processing activities. For the WP29, this means that where there is an “inextricable link”, several national laws may apply to the activities of a business having several establishments in different Member States, regardless of whether one of them qualifies as data controller in respect of the processing in question. This position goes beyond the plain meaning of article 4(a) of the Directive, which provides that “when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable”.[6]

In conclusion, although the WP29’s recent update provides some useful illustrations to help businesses determine whether they should comply with EU data protection law, it does not clarify its exact scope. In particular, WP29’s analysis mostly focuses on websites where data subjects have a connection with one EU establishment, leaving aside other scenarios, such as when data subjects have absolutely no connection with any EU establishment. And the question of how are companies to deal with conflicts of laws remains unanswered. The discussions over these questions promise to be challenging, even more so now with the prospect of the application of the GDPR.

For further information, please contact or

[1] WP29, Opinion 8/2010 on applicable law, December 16, 2010.

[2] Case C-121/12, Google Spain and Google Inc. v. Agencia Espanola de Protección de Datos (AEPD) and Mario Costeja Gonzalez, May 13, 2014.

[3] Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[4] Recital 19 of the Directive.

[5] COM/2010/2011 final, Proposal for a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[6] The recitals of the Directive are admittedly puzzling. Recital (18) states that any processing of personal data in the Community must be carried out in accordance with the law of one of the Member States and processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State. But recital (19) provides that if a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure that each of the establishments fulfils the obligations imposed by the national law applicable to its activities – thereby vitiating the entire concept of separate legal personality, and failing to denote whether those subsidiaries are to be considered controllers or processors.