Topic: Privacy

Who: Higher Administrative court of Schleswig Holstein in Germany

Where: Germany

When: April 2013

Law stated as at: May 2013

An administrative court in Germany for Schleswig-Holstein ruled that the German Data Protection Agency (ULD) did not have jurisdiction over Facebook's activities in Germany, and that only the Irish Data Protection Law applies, as Facebook has its main European office there. ULD then appealed to the Higher Administrative Court (OVG) which upheld this decision. The issue arose concerning a dispute with the ULD, which challenged Facebook's policy of requiring users to use their real names rather than pseudonyms.

In December 2012, the ULD (German Data Protection Commissioner) issued a ruling requiring Facebook to unblock those accounts that were blocked for using a pseudonym and also stated that Facebook should give its users the option to register both with their real name and with a pseudonym. The ULD stated that Facebook's real-name policy conflicts with s 38 V 1 of the Bundesdatenschutzgesetz (BDSG — German Federal Data Protection Act), read in conjunction with s 13 VI of the Telemediengesetz (TMG — German Teleservices Act).

Facebook entered an objection with the German courts claiming that the ULD did not have jurisdiction over this matter and that only Irish law applies. The court accepted the motion and granted Facebook's request. The Administrative Court of Schleswig-Holstein ruled that German Data Protection Laws are not applicable because Facebook has an Irish branch and only Irish Data Protection Laws apply, which provide no right to anonymous or pseudonymous use of media.

ULD appealed before the Oberverwaltungsgericht (Higher Administrative Court) which confirmed in April that only Irish law applies.

The German Federal Data Protection Act does not apply where there is a controller located in another Member State of the European Union or European Economic Area, which collects, processes or uses personal data, except where such collection, processing or use is carried out by a branch in Germany. German law may still apply to a Controller that is not located in the European Union or European Economic Area, which collects, processes or uses personal data in Germany.

The Court stated that, although Facebook has an office in Germany, this office just deals with marketing and press issues and is not involved in the handling of online user's personal data.

The Court left the issue open as to whether Facebook Ireland acts alone or together with Facebook Inc., but concluded under Article 4 of the Directive that Facebook Ireland Ltd is the only establishment that has control over the personal data of Facebook members outside North America. The court also looked at the size of the entity in Europe and considered it was of sufficient size (over 400 employees) to effectively control the handling of data. The choice of German law in its terms and conditions does not on its own lead to the application of German Data Protection Law.

It is important for organizations to have a clear understanding of which laws apply and this has become increasingly challenging when operating online. In relation to Data Protection Law, there have been a number of instances where numerous European regulators have sought to claim jurisdiction where online activities have an impact on their local citizens and, in many cases, resulting in different conclusions.

The challenge remains particularly strong for non-European entities with either no establishment in Europe or a limited presence in some EU locations, where activities may be limited to marketing activities, rather than having any real control over the data. It is interesting to note that the court looked at the size of the European entity as a factor when determining whether or not it could be exercising control and really acting as a European Controller. This may certainly be relevant for non-EU entities with small establishments in Europe in determining whether their EU entities are in practice acting as Controllers or whether the control remains with the non-EU entity.

This debate will continue with the proposed changes to the Data Protection Directive under the Regulation and the expansion of the criteria, which could result in online businesses being subject to EU law when based outside the EU, where they offer online goods and services into Europe. In addition, the Regulation is proposing a ‘one-stop’ shop for European entities supporting the concept of one lead EU regulator across Europe.

The results of these proceedings could have a significant impact for business operating in a number of locations across Europe, and meanwhile the debate still continues over applicable law in the changes being proposed under the Regulation.

Sue Gold, Partner, Osborne Clarke