EU Data Protection and the Conflict of Laws: The Usual "Bag of Tricks" or a Fight Against the Evasion of the Law?

• Author: Lefebvre, Paul

UNTIL April 2016, the basic principles on the protection of personal data of EU citizens were laid down in Directive 95/46/EC, issued October 24, 1995. (1) This Directive served a double purpose: to ensure the free flow of data from one Member State to another within the internal market; while safeguarding the individual's fundamental rights and freedoms including, notably, his right to privacy. Because differences in the level of protection of an individual's rights with regard to the processing of his data constitute obstacles to the free flow of data, and thus distort competition, the Directive sought to coordinate the divergent laws of the member States in order to remove these obstacles in a manner that provides for a high level of protection for all EU citizens. As a legal instrument, a directive is only binding upon each Member State with regards to the result to be achieved; it has no direct effect and cannot be invoked by private parties. Moreover, Member States are still left a margin to maneuver, which allows them to specify in their national law the general conditions governing the parameters of lawful of data processing, so the Directive acknowledges that new disparities may well arise. (2)

The new General Data Protection Regulation (GDPR), (3) adopted by the Council and the European Parliament in April 2016, brings data protection within the EU to a higher level by establishing a new and harmonized data protection framework across the EU. As a legal instrument, it is of a higher order than a directive because it establishes a single body of law that is directly applicable in the EU Member States. As of May 26, 2018, the GDPR will be directly effective in all EU Member States without the need for national implementing laws, as were required under the Directive.

The aim of the GDPR is to set up a digital single market, with the highest possible common standards for all citizens of the EU Member States, so that each individual remains in control of his or her personal data. This set of unified rules will not only warrant the consumer's trust but also provide businesses with a level playing field throughout the EU when setting up new businesses in the digital economy. At the core of the GDPR lies the rule: "one continent, one law." Companies based outside of the EU will have to apply the same rules when offering services in the EU and should only have to deal with one supervisory authority (a one-stop-shop system), leading to savings estimated at EUR 2.3 billion per year. (4)

Under the Directive, the legal issues of jurisdiction and applicable law were extremely controversial, giving rise to much case-law and doctrine. A new element introduced by the GDPR is its extra-territorial reach: it will not only apply to businesses established within the EU but also to businesses based outside the Union that offer goods and services to, or monitor individuals in, the Union. This article examines to what extent the principles developed by the case law of the Court of Justice of the European Union (CJEU) still apply under the GDPR and, if so, to what extent they can still be used as a source of inspiration in resolving these questions.

1. From a Patchwork of 27 National Rules to the 'One-Stop-Shop'

   The framework established by the GDPR consolidates the "one-stop-shop" principle already set forth under the Directive; the aim of the GDPR is to ensure that businesses only need to deal with a single supervisory authority (SA) for all processing carried out in the Union, rather than having to deal with the SA of each of the Member States in which the business is active. However, this initial proposal was watered down, mostly following concerns from Member States over the inability of some smaller supervisory authorities to adequately regulate larger businesses, and that these larger businesses would therefore seek to establish themselves in their jurisdiction. Language barriers and local laws were also seen as an impediment to a true "one-stop-shop" system.

   As a general rule, following the one-stop-shop rule, the GDPR provides that a business should be regulated by the SA where it has its main establishment, which will be called the "lead SA." (5) There are two exceptions to this rule: (i) a local SA will still have jurisdiction where processing is carried out by public authorities or private bodies acting on the basis of the legal obligation or public functions; (6) and (ii) a local SA can ask the lead SA to be allowed to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State. (7) If the lead SA decides to handle the complaint, it will cooperate closely with the local SA in accordance with the procedure set out in Article 60 of the GDPR. The lead SA would then be responsible for overseeing all supervisory and enforcement actions across other EU Member States. (8)

   Hence, under Article 56 of the GDPR, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for any cross-border processing carried out by that controller or processor. The GDPR further develops the cooperation mechanisms (9) that the lead supervisory authority and the other relevant authorities should follow for the application of the GDPR.

   Although the GDPR will only apply throughout the EU from May 25, 2018 onward, Member States already have a duty of loyalty and cooperation towards the EU and its objectives. The CJEU has stipulated in similar circumstances where new EU legislation is about to come into effect that "Member States to which [a] directive is addressed [should] refrain, during the period laid down therein for its implementation, from adopting measures liable seriously to compromise the result prescribed." (10)

   Under the Directive, determining the applicable law was a three-step process: (1) first, one had to determine who is the controller of the data processes; (2) whether he has one or more establishments within the EU; and (3) if so, which of these establishments is "more closely linked" to the data processing at hand than the others. This determination is a factual matter. It was for the Courts to examine and determine the exact scope of the activities of European subsidiaries of multinational corporations.

   We will look at each of these steps and examine whether or not these principles still hold under the GDPR and/or if other steps need to be taken into consideration. This analysis will show that the GDPR does not substantially affect the determination of either the jurisdiction of the SA or the applicable law.

   1. Step 1: Who Is the Data Controller?

      Under Article 2(d) of Directive 95/46 "data controller" was defined as the natural persons or entities "which alone or jointly with others determines the purposes and means of the processing of personal data", i.e. the one who determines the "what", "why" and "how" of certain processing activities. (11) In determining the "means", not only the technical and organizational questions are relevant, (e.g. the question which hardware or software must be used) but also the substantive core questions that are only dealt with and answered by the data controller, such as "which data shall be processed?", "for how long shall it be processed?" and "who shall gain access to this data?" Of particular interest are the comments of the Article 29 Working Party on the initial draft Directive, which specify four essential criteria in identifying the controller: purpose, personal data, processing and third-party access to data. (12)

      The core rule that the data protection rules apply to the processing of personal data by a controller or processor remains the same under the GDPR. Article 4 (7) of the GDPR retains the same definition of "controller" as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. It adds that, where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. A new element under the GDPR is the provision that, unlike under the Directive, the actual processor of the personal data (13) will become directly liable for compliance with some parts of the Regulation.

      In practice, where a multinational corporation has different entities within the European Union, the entity that qualifies as "controller" can be identified on the basis of the following questions:

      1) Does this entity devote substantial resources (e.g. staff, financial means) to data protection compliance?

      2) Does it determine the corporation's policies on data use within the Union, ensuring that new products are compliant with EU legislation?

      3) Does it decide on the withdrawal of certain products, should they appear not to meet with the EU requirements?

      4) Does this entity decide on a third party to be given access to the personal data that it holds and under what conditions?

      5) Is there a contractual relationship between this entity and the data subject, allowing for the data subject to make enquiries about their data before this entity or, possibly, lodge claims and complaints before this entity?

      6) Is this entity the focal point with regard to law enforcement and police investigations regarding personal data?

      7) Does it engage with the local Data Protection Control Agency in order to ensure its compliance with both local as well as EU Data Protection legislation?

      The fact that a subsidiary company is "controlled" by the parent company from a corporate law point of view, does not imply that the parent is to be considered as the controller in the sense of the GDPR. (14) Indeed, the...