The risk of using US subscription-bases’ services

Adobe block of Venezuelan accounts upon enforcement of an USA President Executive Order questions the subscription-based business model.

Once a path is paved, it will be not crossed just once. In other words: since the USA has started an extensive commercial ban against the EU and its member States, it is within the realm of possible that IT companies and software manufacturer are ordered to stop doing business with a Country.

The Adobe-Venezuelan quarrel is different from the Google – HuaWei story, because while the latter involves (at least in theory) two companies, the former is an act against a Country.

To build an IT industry entirely EU based is a top priority, but the European Commission and the member States seem not caring.

Why The Reasonable Privacy Expectation is a Flawed Test

In Protecting Personal Information we (Professor Wacks and I) argue that the right to privacy should be considered as the right to control our own personal information, where the attribute “personal” means “related to the intimate sphere of the individual.”

A major critics to this approach is held by those who find our definition of “personal information” to vague because what is “personal” for subject A may not be alike for subject B. In contrast, they favour the “reasonable privacy expectation” test that is (supposed to be) an objective standard in ECHR Article 10 cases.

I think that this criticism has no merit. Continue reading “Why The Reasonable Privacy Expectation is a Flawed Test”

On Jurisdiction, the European Court of Justice and the GPDR

In the decision C-507/17 the European Court of Justice holds that

it is not apparent from the legal texts that the EU legislature has struck such a balance as regards the scope of a de-referencing outside the EU, nor that it haschosen to confer a scope on the rights of individuals which would go beyond the territory of the Member States. Nor is it apparent from those texts that it would have intended to impose on an operator, such as Google, a de-referencing obligation which also concerns the national versions of its search engine that do not correspond to the Member States. What is more, EU law does not provide for cooperation instruments and mechanisms as regards the scope of a de-referencing outside the EU.

Thus, the Court concludes that, currently, there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.

The Court therefore reaffirms the prevalence of the legal notion of jurisdiction as a geographical limit to the exercise of State power and – correctly – refers to the borders of the Member States and not of the European Union as such.

On the other hand, it cannot be agreed with the part of the decision where

The Court points out, next, that Google Inc.’s establishment in French territory carries on activities, including commercial and advertising activities, which are inextricably linked to the processing of personal data carried out for the purposes of operating the search engine concernedand, second, that that search engine must, in view of, inter alia, the existence of gateways between its various national versions, be regarded as carrying out a single act of data processing in the context of the activities of Google Inc.’s French establishment. Such a situation therefore falls within the scope of the EU legislation on the protection of personal data.

This is the very same legal principle affirmed by the Court in Costeja-Google Spain to affirm its jurisdiction and enforced by the Italian Data Protection Authority in the injuction that fined Facebook Italy for the Cambridge Analytica scandal.

The injunction verbatim states 1

in this case, the activities examined were unequivocally addressed to Italian users through the sections that Facebook reserves for them to use the services of the social network. The close correlation between the Italian territory and the context of the processing operations carried out, which involved, for the most part, Italian users, is therefore apparent;


even if it refers to the activities of a search engine operated by a non-European entity, the provisions of the judgment of the Court of Justice of the European Union, C-131/12, must also be taken into consideration. In particular, paragraph 60 of that judgment states that”processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State, …  when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State.

This principle of law is politically understandable, but not legally acceptable.

It may be true that the purpose of advertising is to ‘push’ users to use a service, but it is also true that the actual and technical use of the service itself is originated by the user that sends the data to the USA and that, therefore, the processing starts outside the EU. Thus, in terms of processing of personal data, the direct obligations of the service provider start only later, that is, for example, when information about the user is actively collected through cookies.

However, the fact remains that the legislation on the processing of personal data regulates the collection and not the “contribution” or the mere “support” to the collection of data. Therefore, if the European subsidiaries do not develop (even partially) autonomous activities in the technical process of collecting and further processing of data, it cannot be argued that Community law should also apply to them.

  1. Unofficial translation by Andrea Monti

The EUCJ to Alter The Personal Liability Principle

With a disturbing decision, related to case C-136/17 in re: search engine’s de-listing duties the European Court of Justice hold that

the operator of the search engine as the person determining the purposes and means of that activity must ensure, within the framework of his responsibilities, powers and capabilities, that the activity meets the requirements of EU law in order that the guarantees laid down by EU law may have full effect and that effective and complete protection of data subjects, in particular of their right to privacy, may actually be achieved.

but did not spend a single word on the role and duties of the originator of information. Continue reading “The EUCJ to Alter The Personal Liability Principle”

Protecting Personal Information: a review from ZD – Zeitschrift für Datenschutz

This is the English translation of the review that Axel Spies published on the German review ZD – Zeitschrift für Datenschutz

Andrea Monti/Raymond Wacks, Protecting Personal Information, Oxford (Hart Publishing) 2019, ISBN 978-1-5099-2485-1, € 60.88

Anyone who wants to deal with the concepts of “data protection” and “privacy” on both sides of the Atlantic on the basis of sources should read Andrea Monti’s and Raymond Wacks’ astute analysis. Monti is adjunct professor at the University of Chieti/Italy and Italian lawyer, Wacks is emeritus professor at the University of Hong Kong – an unusual team of authors. Both are proven practitioners in this field and have been dealing with the subject for many years.

EU law (and thus also German law) has its dear misery with the term “privacy”, which comes from Anglo-American law. The term does not appear in the DS-GVO and in Art. 8 para. 1 ECHR, but it does appear, for example, in Directive 2002/58/EC of 12.7.2002: “concerning the processing of personal data and the protection of privacy in the electronic communications sector (EU-ABl. L 201, 31.7.2002, 37)”. Even the translation of the term “privacy” is difficult in Germany. The term “protection of privacy” does not fit as a term for a right of defence, “privacy” is an artificial word, “informational self-determination” is too short a term.

The authors criticize the conventional concept of privacy. It is too vague, misleads to misunderstandings and abuse and can hardly be delimited legally. The concept of privacy comes from the famous 1890 essay by Warren and Brandeis (4 Harvard Law Review 193). From there, it extended like a plant into many areas of life where it had no place from the original conception. The idea of the protection of privacy is, of course, much older, as the confessional secret of the Catholic Church proves or the painting by Millais of 1862 (“Trust me”) under the title of the book, which shows how a husband demands a letter from his wife, which she holds back behind her back. The authors want to cut the concept of privacy back to its roots. Among other things, a “Protection of Privacy Bill” is required, as the authors present in the appendix to the book. The discussion in Germany is somewhat neglected in the book, although the authors at least mention the Hessian Data Protection Act of 1974 as a data protection law big bang.

A core thesis of the authors is that the concept of personal information should be at the centre of privacy. The authors provide numerous examples to show that the terms “personal data” and “privacy” are not synonyms. The same also applies, by the way, to the term “data protection”, which in the USA is associated more with the understanding that the user locks his computer after work, but not with privacy. Whether the EU legislator will do much better with the overflowing term “personal data” in Art. 4 para. 1 DS-GVO than the Anglo-American legal system with its privacy is an open question. Monti poses the provocative question of whether any data processing under the DS-GVO is automatically an interference with the privacy of the data subject (pp. 111 f.). The authors also ask whether the protection of privacy includes the “right to be forgotten” in Art. 17 DS-GVO. Like other commentators, the authors take a very critical view of this right: why is the right to be forgotten of the plaintiff Coteja in the ECJ decision C-131/12 (ZD 2014, 350 m. Karg – Google Spain), which is fundamental for this right, more worthy of protection than the right of other, much more famous persons whose crimes live on in collective memory? In recourse to Roman history, the infamous conspiracy of Catilina around 63 B.C., Monti lets the “Great Conspirator” Catilina appear with the words: “I am Lucius Sergius Catilina and, after 2000 years now, I deserve to be forgotten” (p. 115). Altogether with all its historical references and remarks from both legal circles (USA/GB compared to continental Europe) the book is a worth reading contribution to the long unfinished debate on what the DS-GVO and other laws should protect as legal right.

Dr. Axel Spies is a lawyer at Morgan Lewis & Bockius LLP in Washington DC and co-editor of ZD.