Tải bản đầy đủ - 0 (trang)
10 Jurisdiction Should Be Based on a Meaningful Link with the Protection of Individuals in the EU: The Effect of an Act on the Internet on Individuals Residing in a Jurisdiction

10 Jurisdiction Should Be Based on a Meaningful Link with the Protection of Individuals in the EU: The Effect of an Act on the Internet on Individuals Residing in a Jurisdiction

Tải bản đầy đủ - 0trang

9.10 Jurisdiction Should Be Based on a Meaningful Link with the Protection…



479



This means that a solution is required for a problem that the Court of Justice

already recognised in Lindqvist.165 In principle, every publication on a website by a

public or private actor based in a third country containing personal data that can be

accessed within the European Union has an effect in the Union and could thus trigger the applicability of EU data protection law.

In theory, the European Union could, therefore, claim jurisdiction over the entire

internet. Kuner mentions the example of the publication by a company in China of

the payroll data of its employees, who are all residing in China.166 This publication

is accessible from the Union, but the link with the Union is very weak and claiming

jurisdiction would be difficult to justify, whereas there is a legitimate claim of jurisdiction by a third country that should be respected.

This example shows that any – theoretical – effect would not be enough to claim

EU jurisdiction, but that a stronger effect on the privacy and data protection of individuals within the European Union is needed to establish jurisdiction for EU law.

Above, we explained that public international law, as interpreted in Lotus,167 does

not limit the prescriptive jurisdiction of a state (nor of the Union) and allows the

simultaneous exercise of a multiplicity of jurisdictions. An alternative presented by

Ryngaert is the conferral of jurisdiction on the state with a strong link, or even the

strongest link, with the matter to be regulated. In privacy and data protection, this

strong link could be based on the need for effective protection of individuals in the

Union. Reformulated, a legitimate claim of external EU jurisdiction in this area

should be based on a meaningful link with the effective protection of the individual

in the European Union.

A meaningful link with the protection in the European Union could be established by alternatives for territorial jurisdiction, such as jurisdiction based on nationality, effect, protection and universality.168 In the literature on internet jurisdiction

the emphasis is on personal jurisdiction, based on the need to protect individuals in

view of the effect an act on the internet has on individuals residing in a jurisdiction.

Reidenberg a.o. analyse personal jurisdiction, based on a test of effects. This test has

similarities with a test based on the need for protection of the persons falling within

the jurisdiction.169 The test combines components of nationality, effect and protec-



 Case C-101/01, Lindqvist, EU:C:2003:596, at 56–71. In Lindqvist the CJEU ruled on a situation

of uploading of personal data on the internet, by a European resident. The CJEU dealt with the

question arose this simple uploading automatically means a transfer of personal data to third

countries.

166

 Kuner in: Data protection anno 2014: how to restore trust? Contributions in honour of Peter

Hustinx, European Data Protection Supervisor (2004–2014), Hielke Hijmans and Herke

Kranenborg (eds), Intersentia 2014, at 216.

167

 P.C.I.J., S.S. Lotus, P.C.I.J. Reports, Series A, No. 10 (1927).

168

 See Sect. 9.9 above.

169

 Joel R. Reidenberg a.o., Internet Jurisdiction, Survey of Legal Scholarship Published in English

and United States Case Law (Fordham Center on Law and Information Policy, 2013). This survey

gives an overview of case law, with a focus on the US. The angle is mainly private international

law.

165



480



9  Understanding the EU Mandate Under Article 16 TFEU in the External Domain…



tion. Universality is not claimed, because universality would amount to establishing

jurisdiction over the entire internet.

The first relevant element of the test is nationality or personal jurisdiction based

on residence. The relationship in data protection law between nationality, citizenship, residence or any other link of a person to the jurisdiction of the European

Union has not been clarified in EU law. The TFEU and the Charter confer the right

to data protection on “everyone”. This means that nationality – or EU citizenship

based on the nationality of a Member State170 – is not the condition for protection

under EU law.171 Everyone is entitled to protection, but there is a limitation, because

it is only within the scope of EU law that individuals are entitled to protection.

However, this limitation does not precisely circumscribe jurisdiction, in view of the

borderless nature of the internet.

The second relevant element of the test is based on the doctrine of effect for

claiming territorial jurisdiction. This doctrine was the basis for a ruling of a French

court ordering Yahoo! to prevent the access in France of webpages with Nazi material, coming from the United States.172 The ruling was criticised as a threat to the

freedom of expression because it resulted, on the basis of the doctrine of effect, in

the restriction of the dissemination of content it regulated.173 However, this ruling

did have a positive effect from the perspective of protection, as has been argued by

Reidenberg.174 The ruling empowers a state – in casu France – to protect its values

on the internet, because of the effect of the publication in this state.

The doctrine of effect is closely linked to personal jurisdiction based on residence. There is case law recognising that a statement on the internet affecting persons in other countries is sufficient to establish jurisdiction. A case often mentioned

in literature is the ruling of the High Court of Australia in Dow Jones v Gutnick175

on a defamation in a US web magazine posted in the US, affecting an individual in

Australia. The High Court mentioned the uniquely broad reach of the internet, and



170



 As laid down in Article 20 TFEU. See also Chap. 4, Sect. 4.9 of this book.

 Kuner in: Data protection anno 2014: how to restore trust? Contributions in honour of Peter

Hustinx, European Data Protection Supervisor (2004–2014), Hielke Hijmans and Herke

Kranenborg (eds), Intersentia 2014, at 219.

172

 Joel R. Reidenberg, The Yahoo! Case and the International Democratization of the Internet,

Fordham Law & Economics Research Paper No. 11, 2001.

173

 Brendan Van Alsenoy and Marieke Koekkoek, Internet and jurisdiction after Google Spain: the

extraterritorial reach of the ‘right to be delisted’, International Data Privacy Law, Vol. 5, No. 2,

2015, at 110.

174

 Joel R. Reidenberg, The Yahoo! Case and the International Democratization of the Internet,

Fordham Law & Economics Research Paper No. 11, 2001, at 14.

175

 Dow Jones v Gutnick (2002) 210 CLR 575 (Australia), as described by Dan Jerker B. Svantesson,

Extraterritorial Data Privacy Law, 2013, at 34–39, and by Joel R. Reidenberg, “Technology and

Internet Jurisdiction”, University of Pennsylvania Law Review, vol. 153/1951, 2005, at 1955–

1956. An overview of literature is found in: Joel R. Reidenberg a.o., Internet Jurisdiction, Survey

of Legal Scholarship Published in English and United States Case Law (Fordham Center on Law

and Information Policy, 2013), at 16–17.

171



9.10 Jurisdiction Should Be Based on a Meaningful Link with the Protection…



481



accepted jurisdiction in Australia. It was criticised for that, because it extends the

liability for speech to a wide range of foreign laws.176

A solution for limiting this wide effect is the use of geolocation technologies,

specifying the access to content according to the location of the internet user.177 It is

a solution enabling countries to assert jurisdiction over acts conducted abroad and

at the same time to limit the impact of its jurisdiction to its own territory.178 This

solution also plays a role in the follow up of Google Spain and Google Inc.,179 in

relation to the technical possibility to prevent internet users in Europe from accessing search results on Google.com that have been delisted in the European versions

of Google.180 This possibility has been criticised: geolocation technologies are said

to threaten the open nature of the internet,181 leading to fragmentation of the

internet,182 and would allow repressive regimes to censor search results.183

This criticism relates to the global and borderless structure of the internet and

more particularly to the fact that any governmental action has an external effect, and

hence has an impact on the discretion of other jurisdictions to regulate the internet

according to their (constitutional) preferences. An even further reaching argument

is that intervention by the Union (or national governments) based on European or

national values would not be in conformity with the internet as a global, unfragmented environment. The criticism is rebutted by the argument of Reidenberg mentioned above: a state must be empowered to protect is constitutional values on the

internet. If not, the state is not able to exercise a core task: the effective protection

of the fundamental rights of citizens. Just to recall, the perceived lack of protection

on the internet as a result of big data and mass surveillance is one of the triggers of

this book.184

The General Data Protection Regulation addresses this need for effective protection, although it is not very precise. Recital 14 states: “The protection afforded by

176



 Joel R. Reidenberg a.o., Internet Jurisdiction, Survey of Legal Scholarship Published in English

and United States Case Law (Fordham Center on Law and Information Policy, 2013), at 16–17.

177

 Joel R. Reidenberg a.o., Internet Jurisdiction, Survey of Legal Scholarship Published in English

and United States Case Law (Fordham Center on Law and Information Policy, 2013), at 25–26.

178

 Brendan Van Alsenoy and Marieke Koekkoek, Internet and jurisdiction after Google Spain: the

extraterritorial reach of the ‘right to be delisted’, International Data Privacy Law, Vol. 5, No. 2,

2015, at 114.

179

 Case C-131/12, Google Spain and Google Inc., EU:C:2014:317

180

 The Advisory Council to Google on the Right to be Forgotten, Final Report, 6 February 2015,

https://drive.google.com/file/d/0B1UgZshetMd4cEI3SjlvV0hNbDA/view, at 5.4. See also

Brendan Van Alsenoy and Marieke Koekkoek, Internet and jurisdiction after Google Spain: the

extraterritorial reach of the ‘right to be delisted’, International Data Privacy Law, Vol. 5, No. 2,

2015, at 113–116.

181

 Joel R. Reidenberg a.o., Internet Jurisdiction, Survey of Legal Scholarship Published in English

and United States Case Law (Fordham Center on Law and Information Policy, 2013), at 26.

182

 See Chap. 3, Sect. 3.4.

183

 The Advisory Council to Google on the Right to be Forgotten, Final Report, 6 February 2015,

https://drive.google.com/file/d/0B1UgZshetMd4cEI3SjlvV0hNbDA/view, at 5.4.

184

 See Chap. 1 of this book.



482



9  Understanding the EU Mandate Under Article 16 TFEU in the External Domain…



this Regulation should apply to natural persons, whatever their nationality or place

of residence, in relation to the processing of personal data. […]” However where the

controller is based outside the European Union, it only applies to EU residents,185

when goods and services are offered to them or their behaviour is being monitored.

Article 3(2) of the General Data Protection Regulation contains an interesting specification: the monitoring of their behaviour is only covered as far as their behaviour

takes place within the European Union.186 An EU citizen travelling in the United

States would, in the perception of the Council, thus not protected against monitoring. However, there is no communis opinio as to whether the EU citizen travelling

in a third country is protected by EU law when goods and services are offered to him

or her.

On the basis of these considerations, we conclude that a meaningful link with the

European Union could consist of personal jurisdiction based on residence and the

doctrine of effect, legitimising extraterritorial effect. This book suggests that, in the

external domain, the Union should promote this foundation of (personal) ­jurisdiction

in international organisations, aiming at ensuring that individuals are effectively

protected within their jurisdiction, but without the result that the entire internet falls

within the scope of a specific jurisdiction, such as EU law. This suggestion does not

aim at solving the problem of internet jurisdiction, but could be included in the EU

action on the international scene in the area of privacy and data protection.



9.11  A

 rticles 3(5) and 21 TEU as the Starting Point for EU

Action on the International Scene in Privacy and Data

Protection

9.11.1  Introductory Remarks

Articles 3(5) and 21 TEU specify that the European Union has an active role in

upholding and promoting democracy, the rule of law and fundamental rights. In the

Laeken Declaration187 of 2001, the European Council positioned the Union as a

“power seeking to set globalisation within a moral framework”, emphasising the

need of taking responsibility for globalisation. Cremona calls this the role of the

Union as stabiliser of the world.188 Bradford states that this role is based on the



185



 Article 3(2) GDPR.

 This addition was introduced by the Council, Council document 9565/15 of 11 June 2015.

187

 European Council, Presidency conclusions - Laeken, 14 and 15 December 2001, incl. Annex I

Laeken Declaration on the future of the European Union, at 20, also pointing at glorious European

events, the Magna Carta, the Bill of Rights, the French Revolution and the fall of the Berlin Wall.

188

 Marise Cremona, “The Union as a global actor: Roles, models and identity” CMLR 41, pp. 553–

573, at 558.

186



9.11 Articles 3(5) and 21 TEU as the Starting Point for EU Action on the International…



483



claim that these values of the Union are “normatively desirable and universally

applicable”.189

This active role of the European Union in upholding and promoting its core values is the starting point for the approach of the Union in privacy and data protection.

In this approach, the ambition to promote and apply EU data protection law extraterritorially plays an important role.190

Article 21 TEU does not only specify principles for EU action, in particular

democracy, the rule of law and human rights, it also lays down that the Union should

seek partnerships with democratic third countries and organisations. These partnerships are a vehicle for enhancing a global level of democracy, the rule of law and the

protection of human rights.

In the area of privacy and data protection, the logical options for such a partnership would be a close cooperation between the EU and the US, as jurisdictions

­sharing the main aspirational goals,191 and closer cooperation within the OECD. The

common aspirational goals are elaborated in the OECD Guidelines on the Protection

of Privacy and Transborder Flows of Personal Data.192 Moreover, both jurisdictions,

as well as the OECD, face similar challenges as a result of the main developments

in the information society. Big data, as well as the surveillance practices revealed by

Snowden, are the logical examples of such challenges.193

Of course, the most obvious candidate for a partnership in the area of privacy and

data protection would be the Council of Europe. The Council of Europe did not only

set the standard for privacy and data protection in the European Union and within

the whole European continent, it also opened Convention 108194 for accession by

non-European countries. As mentioned above, Uruguay was the first non-European

country to accede in 2013.

The following sections of this chapter specify the impact of the ambitions of the

European Union in the external arena. The fact that the Union is an organisation

based on the values of democracy, the rule of law and fundamental rights, determines the content of the action as well as the choice of the most promising

strategy.





Anu Bradford, “The Brussels Effect”, Northwestern University Law Review, Vol. 107,

No. 1, 2012.

190

 Kuner even speaks about an apparent decision to do this, Christopher Kuner, The European

Union and the Search for an International Data Protection Framework, Groningen Journal of

International Law, volume 2, number 2, pp. 55–71, 2014, at IV.1.

191

 David C. Vladeck, A U.S. Perspective on Narrowing the U.S.-EU Privacy Divide, in “Hacia un

Nuevo derecho europea de protección de datos, Towards a new European Data Protection Regime,

Artemi Rallo Lombarte, Rosario García Mahamut (eds), Tirant lo Blanch, 2015.

192

 1980, as amended on 11 July 2013 by C(2013)79.

193

 Further read: “Privacy Bridges, EU and US privacy experts in search of transatlantic privacy

solutions”, Amsterdam / Cambridge, September 2015, https://www.cbpweb.nl/sites/default/files/

atoms/files/privacy_bridges_paper.pdf.

194

 Article 23 of Convention for the Protection of Individuals with regard to Automatic Processing

of Personal Data, ETS No. 108.

189



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

10 Jurisdiction Should Be Based on a Meaningful Link with the Protection of Individuals in the EU: The Effect of an Act on the Internet on Individuals Residing in a Jurisdiction

Tải bản đầy đủ ngay(0 tr)

×