Politicians who are consumed by years in power often decide on a policy that fits their viewpoint, and then identify the “facts” to justify why this policy should be imposed on the rest of us. Mrs Thatcher’s “Poll tax” and the Mr. Blair’s “Iraqi exploits” are classic examples of this genre.
Well I think this kind of approach explains two important data protection issues:
• Why Google, despite its predominate and powerful position, lost two recent Court cases (the ECJ “right to be forgotten” judgment and a UK judgment concerning marketing without consent – see references).
• Why the “one-stop shop”, as proposed by the European Commission in its Regulation, does not work.
I think the European Court of Justice (ECJ) and the UK Court quickly came to the conclusion that Google’s view of the data protection world could not be allowed to dominate the Internet. It then worked back to the legal facts to sustain that view.
So what made a win for Google impossible?
In the ECJ case, Google argued that “Google Inc”, established in USA, were doing the processing of personal data, and that if claimants (or data protection authorities) wanted to have their day in Court, all they need do was pop on a plane take their case, under Californian Law, in the USA Courts. This idea clearly works as a potential revenue stream for the airlines; it’s absolutely hopeless for data subjects.
Just think of the consequences if the ECJ accepted Google’s proposition? It would mean that European citizens (all 0.5 billion plus data subjects) could be required to obtain justice in a jurisdiction that was 4,000 miles away. In addition, if that position were true for Google’s data subjects, it might become true for Facebook’s data subjects, or Yahoo!’s, and all the rest of them.
In other words, I think the Court decided that it could not be expected to agree an outcome that had the unacceptable consequence that condemned European citizens to the risk of privacy violations without meaningful redress in any European Court. This in turn meant a way had to be found to reject Google’s claim.
The same thing happened in the UK when, last year, two appellants claimed that Google was tracking and collating, without their consent or knowledge, personal data relating to the Claimants’ internet usage on the Apple Safari internet browser. They claimed damages or compensation from Google; but on 12 August 2013, Google Inc. applied to the High Court for an order declaring that the English court has no jurisdiction to try these claims because Google Inc. did the processing in the USA.
The Judge rejected this position stating that the claimants were “individuals resident here, for whom bringing proceedings in the USA would be likely to be very burdensome”. In other words, a consequence of the Court accepting the Google Inc claim would be that 60 million UK data subjects might have to take any future case against Google in the USA jurisdiction. This, in effect, means the UK Court faced the same consequence that the ECJ faced, when it considered its judgement.
These judgments explain why the one-stop shop is a problem. Remember, Google, Facebook, Yahoo! etc are not corner shops scratching out an existence in one country; they are mega multinational, established in all European States, making mega-profits from millions of European citizens.
These companies employ smart accountancy techniques so they pay little corporation tax, apart from Ireland which has a low corporation tax and where, by mysterious coincidence, these companies have decided to establish their HQs.
Thus, to have the Irish Data Protection Commissioner (the Commission’s one stop shop solution in the Regulation) looking after the privacy concerns of half a billion European citizens, simply does not work. One can’t expect Greeks, Swedes and Italians to seek redress via the Irish Courts for the same reason why you can’t expect UK citizens to go the USA to take action against Google.
There is still a legal disagreement over the one stop shop as anticipated by the Regulation. I think the two Google judgments should be seen as supporting the view the one stop shop as proposed by the Commission endangers the privacy of all.
The UK case: Neutral Citation Number:  EWHC 13 (QB) (Vidal-Hall, Hann and Bradshaw v Google Inc); http://www.5rb.com/wp-content/uploads/2014/01/Vidal-Hall-v-Google.pdf
The ECJ Judgment: C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González” can be found on http://curia.europa.eu/juris/documents.jsf?num=C-131/12
Blog on the one stop shop legal arguments: http://amberhawk.typepad.com/amberhawk/2013/12/ms-reding-heralds-a-disappointing-day-for-data-protection-as-leading-lawyers-have-a-public-cat-fight.html