On the First Day of Privacy, the EU Gave to Santa…(Data Protection Laws)
If your company doesn’t have an office in the EU, but collects or receives personal data from the EU in the course of running its business, it can be a bit tricky to determine whether or not EU Data Protection laws apply to you. The new Data Protection Regulation, expected sometime in 2015, may make this easier to work out. However, the Regulation is not likely to stray far from the current approach.
Let’s take Santa Claus. Santa is the president of a long-established business (The Workshop) with a global reputation and particularly strong markets in North America, South America and Europe. Right now, his business (unincorporated, although the elves are lobbying to convert it to a collective) has a single manufacturing and distribution center located in the North Pole. However, the company’s CEO (Chief Elf Officer) wants to establish distribution depots in Chicago, Buenos Aires, London and Naples to make that critical peak period (100% of orders delivered within 24 hours each year) easier to manage with less stress on the reindeer.
Santa has been wondering whether all of those wish lists from the little boys and girls in Europe (all signed very politely, with their full names and addresses to make sure their gifts aren’t tragically mis-delivered) need to be treated in accordance with EU Data Protection laws. Santa (who had never hired a GC) decided to look into this question under the current Data Protection Directive.
Santa spent hours on the Web, munching through three plates of Mrs. Claus’s excellent Christmas cookies, looking at the Data Protection Directive and the opinions of the Art. 29 Working Party and various bloggers, and came up with the following insights:
Article 4 of the Directive says that a company that is either “established” in the EU or uses equipment in the EU to process personal data (other than mere transit of the data) is subject to the Directive. Santa was relieved about the first part – he clearly has one place of business, The Workshop, located at the North Pole, and under international law no country owns the North Pole. Santa also took some comfort that Recital 19 of the Directive states that “establishment” requires “the effective and real exercise of activity through stable arrangements.” His once-a-year visit to Europe, which lasted only a few frantic hours, didn’t seem to trigger “establishment.”
Just to be on the safe side, Santa took a quick look at the Art. 29 Working Party Opinion 179 on applicable law to see what the Working Party thought about the “establishment” question. (Santa understood that Art. 29 Working Party opinions aren’t legally binding, but since the Working Party is made up of representatives of the EU’s national data protection authorities, he thought it was a good idea to check.) In the end, Santa concluded that The Workshop wasn’t established in the EU (for now, anyway . . . he realized that those distribution depots in London and Naples that his CEO wanted would change that).
However, Santa wasn’t too sure about the notion of the use of equipment in the EU to process personal data. What exactly did that mean? In the old days, kids just wrote him letters. But that entrepreneurial CEO had persuaded him to set up an e-mail address . . . and then a website for The Workshop. . . so their operation would be “greener.” Santa knew that websites need something called a “server.” So Santa asked his CEO if The Workshop used any servers or other data processing equipment located in Europe. The CEO said no, The Workshop website was hosted in India.
That sounded good to Santa. But Santa had come across an Art. 29 Working Party “working document determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites” that seemed to take a very broad view of what it meant to “use equipment.” Santa read that placing a cookie on a user’s mobile phone, computer or other device in Europe could constitute using equipment in Europe to process personal data (assuming that the cookie allowed the collection of some personal data). So Santa asked his CEO whether the website used any cookies.
The CEO said yes, indeed, The Workshop’s website used absolutely brilliant cookies that tracked which toy ads the kid clicked on in case the kid forgot to write her letter to Santa! It even tracked how many times the kid went back to a particular toy ad. Thanks to the website, parents all over the world had given The Workshop top ratings for knowing what their kids wanted even before the parents did!!
Santa threw up his hands. He didn’t even bother looking at the Google Spain case, which he had heard held that companies could be found to be “established” in Europe simply due to the advertising activities of their subsidiaries, or the recent Internet of Things Art. 29 Working Party opinion that said that smart “things” could trigger the “use of equipment” prong. (All of those newfangled toys that The Workshop was churning out by the millions with embedded chips and wi-fi and data-collecting apps . . . !) And Santa didn’t even want to think about that comment in the WP opinion on applicable law that the personal data of people who had no connection whatsoever to the EU could be subject to the Directive if the processing of that data took place in the EU.
Instead, Santa told his CEO that he might as well get going with setting up the distribution depots in London and Naples, and, while he was at it, to find a lawyer to review The Workshop’s privacy notices and practices, not forgetting a detailed cookies consent, pronto.
Then Santa stomped off to eat some more cookies.
If your operations touch a European Union country, be like Santa in 2015 — review your compliance profile (including the cookies…..)!