Out-Law News 3 min. read
07 Jan 2011, 5:00 pm
Article 4 of the EU Data Protection Directive outlines which law should apply to the gathering or processing of personal data.
The Article 29 Working Party, which is made up of the data protection authorities of the EU's 27 member states, has published an opinion (34-page / 198KB PDF) offering guidance on which country's law should apply when. It said in that guidance that the Commission had identified confusion on the issue because of inconsistent implementation of the Directive.
The Working Party said that the inconsistency could be a result of the way the Directive itself is phrased.
"Such a deficient transposition could be partly explained by the complexity of the provision itself," it said. "A study sponsored by the European Commission highlights the ambiguity and divergent implementation of the applicable law rules in the Directive and recommends that 'better, clearer and unambiguous rules are desperately needed on applicable law'."
The Directive states that organisations must adhere to a country's data protection laws if they are established in that country; if that country's laws apply to the activity as a matter of international public law; or if the organisation has equipment located in that country that processes the data.
The Working Party produced the guidance because of the perceived problems with the way the Directive defined whose law applied to data processing, but also because the nature of business has changed since the Directive was created.
"The complexity of applicable law issues is also growing due to increased globalisation and the development of new technologies: companies are increasingly operating in different jurisdictions, providing services and assistance around-the-clock; the internet makes it much easier to provide services from a distance and to collect and share personal data in a virtual environment; cloud computing makes it difficult to determine the location of personal data and of the equipment being used at any given time," it said.
"It is thus crucial that the precise meaning of the provisions of the Directive dealing with applicable law are sufficiently clear to all involved in the implementation of the Directive as well as in the day-to-day application of national data protection laws in both the public and the private sector," said the opinion.
The guidance said that the Directive talks not about where a data controller is based but where "an establishment" of that controller is based. There could be several establishments of one controller in several countries, it said.
In these cases the law that should apply should not simply be the one where the controller is based, but the one where the activities themselves take place.
"The notion of 'context of activities' – and not the location of data – is a determining factor in identifying the scope of the applicable law," it said. "The notion of 'context of activities' implies that the applicable law is not the law of the Member State where the controller is established, but where an establishment of the controller is involved in activities implying the processing of personal data. In this context, the degree of involvement of the establishment(s) in the activities, in the context of which personal data is processed, is crucial."
In the case of the use of equipment to process personal data, the Working Party said in its opinion that this provision can be used even if an organisation is not the owner of the equipment, but where the equipment is used to process personal data on its behalf.
"Whilst not any use of equipment within the EU/EEA leads to the application of the Directive, it is not necessary for the controller to exercise ownership or full control over such equipment for the processing to fall within the scope of the Directive," it said.
It did clarify, though, that the use of equipment to send data through the EU, such as the use of telecoms cables or postal services, does not trigger data protection laws.
The opinion also suggested improvements to the Directive, proposing that where an organisation has several parts processing data in several EU countries, the law of the place where the organisation is established should apply to all that activity.
This approach should only be taken in tandem with a greater harmonisation of data protection laws, though, to discourage 'forum shopping', the opinion said.