Topic: Privacy
Who: Administrative court of Schleswig Holstein in Germany
When: 14th February 2013
Where: Germany
Law stated as at: 4th March 2013
What happened:
An administrative court in Germany for Schleswig Holstein ruled that the German data protection agency in Germany (ULD) did not have jurisdiction over Facebook’s activities in Germany and that only the Irish Data Protection law applies as Facebook has its main European office there. The judgement is not final and the ULD plans to appeal the decision. The issue arose concerning a dispute with the ULD which challenged Facebook’s policy of requiring users to use their real names rather than pseudonyms.
Background
In December 2012 The ULD (German Data Protection Commissioner) issued a ruling requiring Facebook to unblock those accounts which were blocked for using a pseudonym and also stated that Facebook should give its users the option to register both with their real name and with a pseudonym. The ULD stated that Facebook’s real-name-policy conflicts with s 38 V 1 Bundesdatenschutzgesetz (BDSG- German Federal Data Protection Act) read in conjunction with s 13 VI Telemediengesetz (TMG- German Teleservices Act).
Facebook entered an objection with the German courts claiming that the ULD did not have jurisdiction over this matter and only Irish law applies .
The court accepted the motion and granted Facebook’s request. The Administrative Court of Schleswig-Holstein ruled that German data protection laws are not applicable because Facebook has an Irish branch and only Irish data protection laws apply which provides no right to anonymous or pseudonymous use of media.
ULD stated in a press release that it intends to appeal before the Oberverwaltungsgericht (Higher Administrative Court).
The decision
- The German Federal Data Protection Act does not apply where there is a controller located in another Member State of the European Union or European Economic Area which collects, processes or uses personal data, except where such collection, processing or use is carried out by a branch in Germany.
- German law may still apply to a Controller which is not located in the European Union or European Economic Area, which collects, processes or uses personal data in Germany.
- The Court stated that although Facebook has an office in Germany
- this office just deals with marketing and press issues and is not involved in the handling of online user’s personal data.
- The Court left the issue open as to whether Facebook Ireland acts alone or together with Facebook Inc.. but concluded under Article 4 of the Directive that Facebook Ireland Ltd is the only establishment
- that has control over the personal data od Facebook members outside North America. The court also looked at the size of the entity in Europe and considered it was of sufficient size (over 400 employees) to effectively control the handling of data.
- The choice of German law in the terms and conditions does not on its own lead to the application of German data protection law.
Why this matters:
It is important for organisations to have a clear understanding of which laws apply and this has become increasingly challenging when operating online. In relation to data protection law there have been a number of instances where numerous European regulators have sought to claim jurisdiction where online activities impact their local citizens and in many cases resulting in different conclusions. The
challenge remains particularly strong for non- European entities with either no establishment in Europe or a limited presence in some EU locations where activities may be limited to marketing activities rather than having any real control over the data. It is interesting to note that the court looked at the size of the European entity as a factor when determining whether or not it could be exercising control and really acting as a European Controller. This may certainly be relevant for non EU entities with small establishments in Europe in determining whether their EU entities are in practise acting as Controllers or whether the control remains with the non-EU entity.
This debate will continue with the proposed changes to the Data protection directive under the Regulation and the expansion of the criteria which could result in online businesses being subject to EU law when based outside the EU where they offer online goods and services into Europe . In addition the Regulation is proposing a “one-stop ” shop for European entities supporting the concept of one lead EU regulator across Europe. The German regulator will be appealing the decision of the German court and says it should have jurisdiction over German users.
The results of these proceedings could have a significant impact for business operating in a number of locations across Europe and meanwhile the debate still continues over applicable law in the changes being proposed under the Regulation.