The processing of personal data in the context of evolving technology and globalisation of commerce has prompted the Article 29 Working Party to take a hard look at the applicable law provisions under the European Data Protection Directive and its implementation by the Member States in its most recent Opinion.
The Working Party believes that the increase in the number of multi-jurisdictional businesses and changes in technology, together with the current inconsistency in approach to the applicable law provisions seen across the Member States, make this a pressing area for review.
Whilst the guidance provides some helpful clarification on the current rules that apply national laws to controllers either (i) “established” in an European country or (ii) that use equipment located in a European country where the controller is not established in any EU territory; what is more interesting is some of the more fundamental changes which are being considered as part of the proposed overhaul of the Data Protection Directive (and how the approach has changed since the views of the Working Party issued in 2002).
There is a suggestion that Europe should return to a country of origin principle, where all establishments of a controller within Europe will apply the law of the territory of the controller’s head quarters or “main” establishment (as opposed to different national laws applying to each establishment that carries out processing depending on the territory in which it is situated). Given the marked differences in implementation of the Directive, enforcement activity and imposition of penalties throughout Europe, without a major harmonisation exercise such an approach could only result in forum shopping and confusion for individuals as to what rights apply.
Even more significant is the suggested change as to how European law should apply to entities that are not established in Europe, but that are effectively targeting European consumers. The current application of the “use of equipment/means” criterion has attracted considerable criticism particularly given developments in technology such as cloud computing and the like, which can result in a non-EU entity having no real nexus with Europe but, due to the storage of its data in Europe at some point in time, becoming subject to the laws of the territory where its storage provider has infrastructure.
Whilst the proposed changes will likely be welcomed by privacy advocates and any move away from an equipment based test makes sense given current technology and practice e.g. cloud computing and use of service providers that often adopt a follow the sun model for their operations; it appears inconsistent with the country of origin approach proposed for businesses that are established in Europe. Businesses established in Europe would only have to comply with the laws of the territory of their main establishment, whilst those established outside Europe and targeting European consumers would need to comply with the laws of each state in which they target individuals. If European laws were truly harmonised then this would be of no issue, but they are not. What the most recent Opinion brings into the foreground is the difficulties that will continue to face global businesses until Europe truly harmonises the rules or develops a country of origin approach that will apply to both those in Europe and those targeting European consumers (which will undoubtedly lead to forum shopping).
Needless to say the proposals for the revised Directive are eagerly awaited.