1.1.
The right to privacy and personal data ^
1.2.
The cross border flow of data ^
2.
The applicable law to cross-border data transfer under Directive 95/46/EC ^
3.
The right of claiming compensation for unlawful actions as a result of infringement of Directive 95/46/EC ^
4.
Jurisdiction and enforcement in online cross-border infringements of data privacy ^
In the eDate case the ECJ addressed a situation of online infringement of personality rights and data privacy and recognized the specificity of the ubiquitous nature of the internet and its world-wide reach. The ECJ weighted in this case the impact of a content that was put online on a website on an individual’s personality rights and the large extent of the damages that it could cause. In the eDate case, it the interpretation of Art. 7, sec. 2 was upheld, that the claimant can bring the action for all the damages caused in the court of the place of the event (in the case the place of the establishment of the publisher of that content) or the courts of each Member State where the damage occurred (in the case, each Member State in the territory of which the content placed online is or has been accessible)28. However, the ECJ adapted the interpretation of the rule to the nature of the internet, noting that content that is placed online can be consulted all over the world, which increases the impact of the damage, regardless of the intention of the person who placed that content online, and noting that «(…) it is not always possible, on a technical level, to quantify that distribution with certainty and accuracy in relation to a particular Member State or, therefore, to assess the damage caused exclusively within that Member State»29. Consequently the ECJ considered that another court should have jurisdiction to decide the compensation of all the damages caused – the court of the place where the victim has his center of interests30. The center of interests of the victim would be generally his habitual residence, but the ECJ admitted that it can also be the place where the victim follows his professional activity if the person has a close connection with that State31. The jurisdiction of the court of the place of the victim´s center of interests is justified by the ECJ for the purpose of predictability underlying the rules of jurisdiction, because the publisher of the harmful content is in a position to know the center of interests of the person that will suffer the damage.
5.
Conclusions ^
Anabela Susana de Sousa Gonçalves, Professor, Law School – University of Minho, Department of Private Law, Campus de Gualtar, 4710-057 Braga, Portugal, asgoncalves@direito.uminho.pt; www.direito.uminho.pt
- 1 See Svantesson, Extraterritoriality in Data Privacy Law. Ex Tuto Publishing, Denmark, p. 43 (2013).
- 2 About the concept of data privacy, v. Svantesson, Extraterritoriality in Data Privacy Law. Ex Tuto Publishing, Denmark, pp. 25–26 (2013). The infringement of data privacy law already was considered by the European Court of Human Rights in several cases, as reported by Nardell, Levelling up: Data Privacy and the European Court of Human Rights. Gutwirth/Poullet/De Hert, Data Protection in a Profiled World, Springer, Dordrecht, Heidelberg, London, NewYork, pp. 43–52 (2010).
- 3 About the lack of harmonization, see De Hert/Papakonstantinou, The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals. Computer Law & Security Review, Vol. 28, pp. 132–141 (2012); Wong, Data Protection: The Future of Privacy. Computer Law & Security Review, Vol. 27, pp. 54–55 (2011).
- 4 Bygrave, Privacy Protection in a Global Context – A Comparative Overview. Scandinavian Studies in Law, Vol. 47, pp. 320–338 (2004).
- 5 In private relations related with more than one legal system, the conflict-of-law rules determine which law shall apply and in which legal system the solution must be reached. About the choice of law problem, see Audi, Droit International Privé. Economica, 4th Ed, Paris, pp. 81–83 (2006); Hoffman/Thorn, Internationales Privatrecht einschlieβlich der Grundzüge des Internationalen Zivilverfahrensrechts. Verlag C.H. Beck, München, pp. 177–178 (2005); Fawcett/Carruthers, M., Cheshire, North & Fawcett Private International Law. Oxford University Press, 14th Ed, Oxford, pp. 8–9 (2008).
- 6 European Commission, Safeguarding Privacy in a Connected World, A European Data Protection Framework for the 21st Century, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. Brussels, 25 January 2012, COM(2012) 9 final, p. 7.
- 7 As Bygrave, European Data Protection, Determining Applicable Law Pursuant to European Data Protection Legislation. Computer Law & Security Report, Vol. 16–4, p. 255 (2000), points out, in cases of several controllers, it is possible that the situation of processing of personal data is subject to more than one national law.
- 8 The controller must be distinguished from the processor, as the person or entity «(…) which processes personal data on behalf of the controller» (Art. 2 (e)).
- 9 Art. 29 Data Protection Working Party, Opinion 8/2010 on applicable law. Working Paper 179, p. 20 (2010).
- 10 Kuner, Regulation of Transborder Data Flows under Data Protection and Privacy Law: Past, Present and Future. OECD Digital Economy Papers 187, p. 25 (2011).
- 11 European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Brussels, 25 January 2012, COM(2012) 11 final, pp. 1–118.
- 12 European Commission, Safeguarding Privacy in a Connected World, A European Data Protection Framework for the 21st Century, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. Brussels, 25 January 2012, COM(2012) 9 final, p. 7.
- 13 For a detailed analysis, see Hert/Papakonstantinou, The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals. Computer Law & Security Review, Vol. 28, pp. 132–141 (2012).
- 14 European Commission, Safeguarding Privacy in a Connected World, A European Data Protection Framework for the 21st Century, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. Brussels, 25 January 2012, COM(2012) 9 final, p. 20.
- 15 European Commission, A comprehensive approach on personal data protection in the European Union, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. Brussels, 4 November 2010, COM(2010) 609 final, , p. 4.
- 16 About the EU policy of cooperation in civil matters, see Gonçalves, Anabela Susana de Sousa, Da Responsabilidade Extracontratual em Direito Internacional Privado, A mudança de paradigma. Almedina, Coimbra, pp. 212–226 (2013).
- 17 The initial proposal of the Rome II Regulation, dated of 2003, had a conflict-of-law rule for non-contractual obligations arising out of violations of privacy and personality rights: European Commission, Proposal for a Regulation of the European Parliament and the Council on the law applicable to non-contractual obligations («Rome II»). Brussels, 22 July 2003, COM(2003) 427 final, pp. 17–18, 35.
- 18 See a possible systematic interpretation of Art. 1 sec. 2 (g) of Rome II Regulation, Gonçalves, Da Responsabilidade Extracontratual em Direito Internacional Privado, A mudança de paradigma. Almedina, Coimbra, pp. 265–267 (2013).
- 19 This regulation replaced the Regulation No 44/2001 (Brussels I) after 10 January 2015 in accordance with the conditions set in Art. 66 of Brussels I rescast.
- 20 European Parliament, Report with recommendations of the Commission on the amendment of Regulation (EC) No 864/2007 on the law applicable to non-contractual obligations (Rome II). A7-0152/2012, 2 May 2012, pp. 2–9.
- 21 This is annulled when the Rome II Regulation is applicable, because the Member State courts will apply the same conflict-of-law rules to similar situations and consequently apply the same law. But the infringement of personality rights is excluded from the material scope of application of the Rome II Regulation: so, each Member State Court will apply his national conflict-of-law rules.
- 22 Corresponding to Art. 5, sec. 3, of the Regulation No 44/2001 (Brussels I).
- 23 See, e.g., Handelskwekerij G. J. Bier B.V. v Mines de Potasse d’Alsace S.A., case 21/76, ECR 1735 (1976).
- 24 Zuid-Chemie v. Philippo´s Mineralenfabriek NV/SA, case C-189-08, ECR I-06917(2009); Rudolf Kronhofer v Marianne Maier and Others, case C-168/02, I-06009(2004); Dumez France SA and Tracoba SARL v Hessische Landesbank and others, case C-220/88, I-00049(1990).
- 25 ECJ, Fiona Shevill, Ixora Trading Inc., Chequepoint SARL and Chequepoint International Ltd v Presse Alliance SA, case C-68/93, ECR pp. I–415 et seq (1995).
- 26 Idem, ibidem.
- 27 Idem, ibidem.
- 28 eDate Advertising GmbH v X (C-509/09) and Olivier Martinez and Robert Martinez v MGN Limited (C-161/10), joined cases C-509/09 and C-161/10 ECR pp. I–10269 et seq (2011).
- 29 Idem, ibidem.
- 30 Idem, ibidem.
- 31 Idem, ibidem.