Written by Carol Umhoefer (Carol.Umhoefer@dlapiper.com) and Caroline Chancé (Caroline.Chance@dlapiper.com).
This article first appeared in E-Commerce Law and Policy – volume 18 issue 03 (March 2016).
On December 16, 2015, the Article 29 Data Protection Working Party (“WP29″) updated their Opinion 8/2010 on applicable law in light of the landmark decision Costeja v. Google rendered by the Court of Justice of the European Union (“ECJ”) on May 13, 2014.
In a context where local data protection authorities are increasingly scrutinizing cross-border data processing operations, companies worldwide need to identify whether and which EU data protection law(s) apply to processing of personal data taking place wholly or partially outside the EU.
Yet the extent of the territorial scope of the Directive has always raised many questions. In 2010, the WP29 concluded in their Opinion 8/2010 that Article 4(1)(a) of the Data Protection Directive 94/46/EC (“Directive”), which provides that a Member State’s data protection law shall apply to data processing “carried out in the context of the activities of an establishment of the controller on the territory of the Member State”, suggests a very broad scope of application.
The exact extent of application remained rather unclear despite the WP29’s guidelines until four years later when the question of whether EU data protection laws should apply to a business based and processing personal data outside the EU came up before the ECJ in the so-called “right to be forgotten” case, Costeja v. Google. In its judgment, the ECJ held that Spanish law applied to the personal data processing performed by the search engine operated by Google Inc., a US-based controller, on the ground that it was “inextricably linked to”, and therefore was carried out “in the context of the activities of” Google Spain, whose advertising and commercial activities constituted the “means of rendering the search engine at issue economically profitable”.
The WP29 have recently updated their 2010 opinion to take into account Costeja. According to the WP29, the implications of the judgment are very broad and should certainly not be limited to the question of determining applicable law in relation to the operation of the Google search engine in Spain. And indeed, Costeja confirms the broad territorial application of Article 4(1)(a) of the Directive that was espoused by the W29 in 2010. In this respect, the WP29 recall that the notion of establishment in itself must be interpreted broadly, in line with recital 19 of the Directive, which provides that the notion of “establishment (…) implies the effective and real exercise of activity through stable arrangements”, such as subsidiaries or branches for example. In Costeja, there was no doubt that Google Spain, the Google Inc. subsidiary responsible for promoting in Spain the sale of advertising space generated on the website google.com, fell under that definition. However, it was disputed whether the data processing in question, carried out exclusively by Google Inc. by operation of Google Search without any intervention on the part of Google Spain, was nevertheless carried out “in the context of the activities of” Google Spain.
The ECJ then introduced a new criterion: the “inextricable link” between the activities of a local establishment and the data processing activities of a non-EU data controller. As underlined by the WP29, the key point is that even if the local establishment is not involved in any direct way in the data processing, the activities of that establishment might still trigger the application of EU data protection laws to the non-EU controller, provided there is an “inextricable link” between the two.
What this “inextricable link” might be raises many questions. The WP29, while insisting on the importance of conducting a case-by-case analysis, considers that, depending on the role played by local establishments, non-EU companies offering free services within the EU, which are then financed by making use of the personal data collected from users, could also be subject to EU data protection laws. The same reasoning would apply, for example, to non-EU companies providing services in exchange for membership fees or subscriptions, where individuals may only access the services by subscribing and providing their personal data to the EU establishments.
The WP29 are careful to say that being part of a same group of companies is not in itself sufficient to establish the existence of an “inextricable link”, and that additional factors are necessary, such as promotion and sale of advertising space or revenue-raising, irrespective of whether such proceeds are used to fund the data processing operations in the EU. But because the examples provided by the WP29 are almost solely based on revenue flow as the source of the “inextricable link”, it is difficult to conceive of what type of multinational will not have such an “inextricable link” between the activities of a subsidiary (let alone a branch) in the EU and a parent company outside the EU. The long arm of the Directive is in effect stretched even further.
Will this criterion still be relevant when the General Data Protection Regulation (“GDPR”) applies, likely by July 2018? Certainly, insofar as article 3(1) provides that the GDPR applies “to the processing of personal data in the context of the activities of an establishment of a controller… in the Union”. But the GDPR goes much farther: not only does it consecrate Costeja by specifying that the GDPR applies “regardless of whether the processing takes place in the Union”, it also applies to processing in the context of the activities of an establishment of a processor in the EU, even if the processing occurs outside the EU. Moreover, relying more explicitly on the “effect principle”, article 3(2) of the GDPR further extends the territorial scope of EU data protection law to any data controller based outside the EU that either: (i) offers goods or services to EU residents; or (ii) monitors the behaviour of EU residents.
Another important aspect the WP29 infer from the Costeja decision concerns the applicable law where a business has multiple establishments in the EU, with a designated “EU headquarters”, and this establishment alone carries out the functions of a data controller in relation with the processing operations in question. The WP29 note that, although the Court did not directly address this question, neither did it distinguish its ruling according to whether or not there is an EU establishment acting as a data controller or being otherwise involved in the processing activities. For the WP29, this means that where there is an “inextricable link”, several national laws may apply to the activities of a business having several establishments in different Member States, regardless of whether one of them qualifies as data controller in respect of the processing in question. This position goes beyond the plain meaning of article 4(a) of the Directive, which provides that “when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable”.
In conclusion, although the WP29’s recent update provides some useful illustrations to help businesses determine whether they should comply with EU data protection law, it does not clarify its exact scope. In particular, WP29’s analysis mostly focuses on websites where data subjects have a connection with one EU establishment, leaving aside other scenarios, such as when data subjects have absolutely no connection with any EU establishment. And the question of how are companies to deal with conflicts of laws remains unanswered. The discussions over these questions promise to be challenging, even more so now with the prospect of the application of the GDPR.
 Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
 The recitals of the Directive are admittedly puzzling. Recital (18) states that any processing of personal data in the Community must be carried out in accordance with the law of one of the Member States and processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State. But recital (19) provides that if a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure that each of the establishments fulfils the obligations imposed by the national law applicable to its activities – thereby vitiating the entire concept of separate legal personality, and failing to denote whether those subsidiaries are to be considered controllers or processors.