Last week, the Belgian Privacy Commission published (a first part of) its much anticipated recommendation following its investigation into Facebook's data processing activities.
For the data protection community, the most interesting part of this recommendation is not the assessment of Facebook's compliance. The real importance concerns the regulatory interpretation of the EU Data Protection Directive's applicable law principles, a topic that is of particular importance to all non-EU headquartered companies that process personal data in the EU.
Recap of the applicable law principle
To determine whether EU data protection law applies at all and, if so, which EU Member State's data protection law(s), article 4 of the Directive 95/46/EC sets out a twofold test:
- Step 1 - The establishment test: If the data controller processes personal data in the context of the activities of an "establishment" (i.e. a subsidiary or a branch office) on the territory of a Member State, only the data protection laws of that Member State will apply (article 4.1.a). This is the case even if the personal data in question is collected from individuals resident in other EU Member States;
- Step 2 - The equipment test: If the data controller does not have such an establishment on the territory of a Member State, but it uses "equipment" to process personal data situated in the territory of one or more Member States, the data protection laws of those Member States will apply (article 4.1.c).
At first sight these rules seem quite straightforward. However, over recent years, it has become more and more difficult to apply them to the reality of multinational corporations that have their headquarters outside the EU and that have incorporated a number of subsidiaries or branches in one or more Member States.
The crux of the problem is to determine which entity in a multinational group qualifies as the "data controller" for European data protection compliance purposes. For many years, a lot of US multinationals have taken the approach of incorporating an affiliate in a tax-friendly Member State (such as Ireland, Luxembourg or the Netherlands), indicating that this affiliate qualified as data controller for the purpose of their processing activities in Europe.
As a result of creating this EU "establishment", then applying the Establishing Test above their processing activities were subject to the data protection laws of only that particular Member State and they were only subject to the regulatory scrutiny of the regulator of that Member State.
First attempts by Member States to circumvent this principle
This evolution has been ill-received by many civil rights activists and regulators based in Member States due to concerns that multinational businesses may be exploiting the Establishment Test for forum shopping purposes (On this topic, see my colleague Phil Lee's recent blog post).
In more recent times, some data protection authorities and national courts have therefore refused to recognize multinationals' nominated EU data controlling subsidiaries and sought to apply the Equipment Test instead so as to find their national law applicable.
In 2013, two German courts for instance ruled that Apple and Google had to comply with German data protection law, rejecting their argument that German law did not apply. Last year, the High Court of Berlin came to the same conclusion in a case against Facebook and disregarded Facebook's argument that Facebook Ireland qualified as its EU data controller and therefore, under the Establishment Test, it should only comply with Irish data protection laws.
The Belgian Privacy Commission's Facebook recommendation
In its recent recommendation, the Privacy Commission has taken a similar approach to justify that Belgian data protection law applies.
Almost half of the recommendation is used to justify why Facebook is subject to Belgian law. The Privacy Commission's arguments can be summarized as follows.
- Facebook, Inc. and not Facebook Ireland is the data controller
On the basis of a detailed factual analysis, the Privacy Commission firstly concludes that Facebook Ireland cannot qualify as a data controller because it "does not appear to be able to take independent decisions when it comes to determining the purpose and the resources relating to the processing of the personal data of Belgian citizens".
In this regard, the Privacy Commission attaches a lot of importance to the fact that the new privacy policy, which kicked off the investigation in the first place, has been rolled out globally, without a specific version issued by Facebook Ireland that was adapted for the EU market. Another element that was relied upon is the fact that the privacy policy did not refer to the term "personal data" but rather to the more generic/US-inspired terms "data" and "personal information" - though quite why these terms should be relevant to an assessment of an entity's controllership (or lack of it) is far from clear.
For those reasons, the Privacy Commission takes the view that Facebook, Inc., with its registered office in the US, has to be considered the sole data controller.
- Facebook Belgium qualifies as an establishment in the sense of article 4.i.a of Directive 95/46/EC
Having that it considers Facebook, Inc. to qualify as data controller, the Privacy Commission then goes on to examine the role of Facebook Belgium.
Facebook Belgium is a subsidiary of Facebook, Inc. whose corporate purpose is reportedly limited to public policy and legislative and regulatory outreach activities and is not involved in any commercial activity as such.
However, applying the principles of the ECJ's Costeja "Right to be Forgotten" judgment (C‑131/12 - see also our blog post on this decision), the Privacy Commission concluded that Facebook Belgium is an establishment of Facebook, Inc. because it considered these activities to be "inextricably linked" to Facebook, Inc.'s activities - the first reported instance of the Right to be Forgotten judgment being applied by a local regulator to submit another major US-led multinational to a Member State's local data protection laws
- Alternatively, Facebook Inc. uses equipment on the Belgian territory
The recommendation then goes on by stating that even if Facebook Belgium (or any other Facebook affiliate in the EU for that matter) does not qualify as an establishment in the context of which Facebook, Inc. processes personal data, then Facebook, Inc. is still subject to the Belgian data protection laws by virtue of the Equipment Test due to its use of cookies and other tracking technologies served on Belgian residents' devices.
Practical implications for other businesses
Until today, like many multinational businesses, Facebook has consistently maintained that it is only subject to Irish data protection law by virtue of having an Irish data controller. With the Privacy Commission now threatening to initiate legal proceedings, it will be interesting to see how this matter evolves.
In the meantime, a few general conclusions can already been drawn:
First, the criticism around forum shopping is ever increasing. The lack of a harmonised enforcement approach in the EU, and the perception (rightly or wrongly) that certain DPAs have been too lenient has resulted in a situation in which many national data protection authorities are trying to protect their citizens by applying their own national law, regardless of the principles laid down in article 4 of Directive 95/46/EC.
Second, Non EU-based businesses should therefore carefully consider how they want to respond to this risk when approaching their EU data protection compliance. Naturally, any business wants to avoid the legal uncertainty and risk that arises from potentially having to comply with the laws of the 28 Member States.
While it therefore makes sense to create an EU subsidiary to fulfil a data controller role, it is not sufficient to simply "nominate" one on paper. Businesses must put in place the conditions and controls that allow this EU subsidiary to really act as data controller in the field. This implies devolved decision-making autonomy to the EU subsidiary and (if necessary) arm's length subcontracting back of carefully monitored and controlled data processing activities to the non-EU parent. Similarly, the EU subsidiary needs to play an active role in designing and implementing the business's data protection policies to ensure they reflect EU compliance requirements.
Additional measures might include appointing a data protection officer within the EU subsidiary, accountable for ensuring the business's compliance with EU data protection law. Similarly, training programs run within the EU subsidiary that ensure local staff are aware of their data protection responsibilities, and internal audit programs intended to monitor the EU subsidiary's compliance with EU data protection requirements (including in respect of any activities it subcontracts back to its parent) will also be valuable steps to take.
In the absence of such factual control by the EU subsidiary, businesses risk being caught in a situation where they must comply with the data protection laws of potentially all Member States in which they have affiliates, customers or even just cookies. And that would bring them back to square one.