Data Protection & International Litigation: Upcoming Developments in U.S. and EU Laws
As you would certainly have noted, data protection is on the rise and has become a daily source of concern for individuals as well as companies and businesses (suffice it to recall that, on 25 May 2018, the EU Global Data Protection Regulation (i.e. European Union’s major updated legislation on privacy and data protection) will enter into force. Meanwhile Uber and Equifax have just suffered major data breaches).
As demonstrated by the two cases below, international litigation is not immune from the flurry of excitement over privacy and data protection.
Maximilian Schrems v. Facebook Ireland Limited
The first case concerns a dispute pending before the Court of Justice of the European Union (the CJEU) between Maximilian Schrems and Facebook Ireland Limited (Facebook or Facebook Ireland).
Maximilian Schrems is a well-known Austrian activist in the field of technology and electronic privacy. Previously, Mr. Schrems had successfully challenged the transfer of data from the EU to the U.S. through the Safe Harbour regime.
In the present case, Mr. Schrems (who maintained two presences on Facebook: (i) an “account“, which was for personal use, and (ii) a public “page” used for promoting his books, lectures, media appearances and fundraising activities) sued Facebook Ireland, the European subsidiary of Facebook Inc., for alleged violations of his data protection rights, as well as those of seven other Facebook users.
Mr. Schrems initiated proceedings in the Austrian courts, relying on the consumer jurisdictional privilege provided for in Article 16(1) of the now repealed EU Council Regulation No 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (the Brussels I Regulation). This provision allows consumers (i.e. non-commercial parties) to sue the other party to a contract in the courts of the EU Member State in which the consumer is domiciled. Article 18(1) of the currently applicable EU Regulation No 1215/2012 of 12 December 2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (the Brussels Ibis Regulation) contains similar terms.
Facebook challenged the jurisdiction of the Austrian court which then asked the CJEU for help in interpreting the European rules of jurisdiction. Facebook argued that Mr. Schrems was not a consumer, given the public nature of his activities on the site. Facebook added that any consumer jurisdictional privilege which Mr. Schrems enjoys cannot be extended to the claims assigned to him by other Facebook users.
On 14 November 2017, Advocate General Bobek (AG Bobek)* handed down a reasoned opinion (the Opinion) in this case.
According to AG Bobek, the status of consumer arises, as a general rule, from the nature and aim of the contract at the time it was concluded. Once acquired, consumer status will normally persist. A subsequent change in use may, exceptionally, transform the user’s status, but the mere fact of possessing particular knowledge, expertise or public renown due to previous litigation is insufficient to effect such a change in status. AG Bobek therefore suggested that Mr. Schrems’ use of a public Facebook page and his activities in publishing, lecturing and fundraising, for the purposes of litigation and enforcing claims, do not result in the loss of his consumer status in relation to claims arising from his use of a personal Facebook account.
By contrast, AG Bobek maintained that the assigned claims do not enjoy the same consumer jurisdictional privilege. AG Bobek noted that the jurisdictional rules are intended to apply to “the concrete and specific parties to the contract“. Thus, a vehicle for collective redress which specifically seeks to gather litigants and assign their claims to one claimant is incompatible with the consumer jurisdictional privilege. AG Bobek observed that to hold otherwise could lead to abuses of the privilege and widespread forum-shopping. He allowed for the fact that such disadvantages may be outweighed by gains in effective judicial consumer protection and a reduction of the need for concurrent proceedings. This would, however, require a well-designed regulatory framework, the creation of which would be beyond the CJEU’s competence.
Thus, in his Opinion, AG Bobek proposed that Mr. Schrems should maintain his consumer jurisdictional privilege only partially. The privilege would therefore not extend to the claims that had been assigned.
The CJEU will give judgment in the coming months.
United States v. Microsoft Corp.
On 16 October 2017, the U.S. Supreme Court (the Supreme Court) granted certiorari in a case concerning whether Section 2703 of the Stored Communications Act (Section 2703) applied extraterritorially. As some of you may be aware, Section 2703 authorises the government to require a provider of an electronic communication service to disclose information about a wire or electronic communications.
In the case at hand, the U.S. federal government served, on the basis of Section 2703, a warrant to the well-known IT and software company Microsoft Corporation (Microsoft) requiring this company to disclose information about a specific email account used for drug trafficking.
Arguing that Section 2703 did not apply to the case at hand since the content of the requested email account was in fact stored in Ireland and not in the United States, Microsoft refused to comply with the warrant, refused to deliver the requested information to the U.S. government and initiated legal proceedings to have the warrant annulled.
While the trial court denied Microsoft’s motion, this initial decision was reversed on appeal as the U.S. Court of Appeals for the Second Circuit (the Second Circuit) declined to enforce the warrant on the grounds that “enforcing the warrant as to information stored abroad would constitute an impermissible extraterritorial application of Section 2703“.
Contesting the Second Circuit’s position, the U.S. federal government took the case to the Supreme Court arguing that “the Second Circuit [had] seriously misinterpreted the Stored Communications Act“.
In its argument, the U.S. government relied more particularly on the well-known cases RJR Nabisco v. European Community and Morrison v. National Australia Bank in which the Supreme Court ruled that U.S. federal laws contain a presumption against extraterritoriality, and that, in the absence of a clear congressional indication that a statute applies extraterritorially, U.S. federal laws can only have a “domestic application“. In RJR Nabisco, the Supreme Court also made clear that a case may trigger a statute’s “domestic application” even if the case involves foreign elements. Indeed, according to the Supreme Court, in order to determine whether a case involves a “domestic application” of the statute it is necessary to examine the “focus” of the provision at issue. If the conduct relevant to the statute’s focus occurred in the United States, then the case involves a permissible domestic application of the statute (even if other conduct occurred abroad). However, if the conduct relevant to the statute’s focus occurred in a foreign country, the case involves an impermissible extraterritorial application regardless of whether other conduct occurred on U.S. territory.
In its petition for a writ of certiorari, the U.S. government argued essentially that the Second Circuit wrongly applied the ruling of RJR Nabisco when it found that the conduct relevant to Section 2307’s focus was maintaining the privacy of a user’s emails (which occurred at the place where the protected data are stored – in this case, Ireland).
According to the U.S. government (and contrary to the position adopted by the Second Circuit), the focus of Section 2307 is the disclosure of electronic communication. And since the conduct relevant to this focus (i.e. the service of the warrant requiring the disclosure of information by Microsoft) occurred in the United States, Section 2307 should be applicable to the case at hand.
On top of those legal arguments, it is important to note that this case has triggered quite a lot of international attention and several other parties (including the UK, Ireland and New Zealand) have filed amicus briefs. The European Commission also filed an amicus in which it essentially provides explanation on EU data protection law. The European Commission explained that “[w]hile [it] takes no position on the ultimate question of the Stored Communication Act’s proper construction under U.S. law, [it] submits that it would be appropriate for the [Supreme Court] to consider EU domestic law [i.e. the GDPR] as it pertains to searches of data stored in the European Union“.
[UPDATE added on 27 September 2018]: On 17 April 2018, the Supreme Court vacated the judgment of the Second Circuit after the case became moot. A few days earlier, U.S. Congress had enacted an amendment to the Stored Communications Act providing that “[a service provider] shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.”
The International Litigation Blog will of course keep you posted on any further developments.
In the meantime, let me wish you a Merry Christmas and a Happy New Year.
* In the European judicial landscape, Advocate Generals act in complete impartiality and independence and are requested to submit reasoned opinions on cases before the CJEU. Their opinions, however, are not binding on the CJEU, which can freely decide not to follow the opinions expressed by the Advocate Generals.
The part of this post relating to the Schrems case was largely based on a previous article drafted by my colleagues Koen T’Syen and Benedict Blunnie. It was first published in the November 2017 edition of Van Bael & Bellis’ newsletter on Belgian Business Law.