Review of FOIA – call for evidence

October 9th, 2015 by Anya Proops

The commission set up by the Government to review FOIA, in the wake of the Evans judgment, has today issued a call for evidence, as part of a six week consultative exercise (see here). The questions posed in the call for evidence tend to reconfirm the overall impression that the commission is keen to explore ways in which FOIA can be recalibrated so as to be a more State-friendly enactment. The commission has made clear that it is particularly focussed on the following six questions:

‘Question 1: What protection should there be for information relating to the internal deliberations of public bodies? For how long after a decision does such information remain sensitive? Should different protections apply to different kinds of information that are currently protected by sections 35 and 36?

Question 2: What protection should there be for information which relates to the process of collective Cabinet discussion and agreement? Is this information entitled to the same or greater protection than that afforded to other internal deliberative information? For how long should such material be protected?

Question 3: What protection should there be for information which involves candid assessment of risks? For how long does such information remain sensitive?

Question 4: Should the executive have a veto (subject to judicial review) over the release of information? If so, how should this operate and what safeguards are required? If not, what implications does this have for the rest of the Act, and how could government protect sensitive information from disclosure instead?

Question 5: What is the appropriate enforcement and appeal system for freedom of information requests?

Question 6: Is the burden imposed on public authorities under the Act justified by the public interest in the public’s right to know? Or are controls needed to reduce the burden of FoI on public authorities? If controls are justified, should these be targeted at the kinds of requests which impose a disproportionate burden on public authorities? Which kinds of requests do impose a disproportionate burden?’

No doubt much can be gleaned about the commission’s direction of travel from these questions. However, the commission’s repeated use of the ‘how long’ question is particularly interesting. Query whether it suggests that the commission is looking to propose minimum terms for the disclosure of certain categories of information, for example under ss. 35 and 36. Such a blanket approach to the protection of particular classes of information under these provisions would of course would mark a significant departure from the current more case/fact-specific approach presupposed by these provisions as currently framed. No doubt further commentary on Panopticon will follow in due course.

Anya Proops

California surfs the digital data privacy wave

October 9th, 2015 by Anya Proops

There has been a lot of excitement this week about EU-US data sharing in the light of the Schrems judgment (see not least the stream of posts on the judgment on our very own Panopticon). Of course what triggered the Schrems litigation was the Snowden revelations concerning Prism, the US government’s mass surveillance programme, revelations which themselves forced an intensive debate on the protection of digital privacy rights on both sides of the Atlantic. Against that background, it is very interesting to learn that yesterday the Californian Governor, Jerry Brown, signed into law an Electronic Communications Privacy Act designed to place substantial controls around the accessing of digital communications by law enforcement agencies (see further the report from the Electronic Frontier Foundation here). This important legislative development, which essentially subjects the access regime to a system of judicial warrants, suggests that California is very much ahead of the curve within the US when it comes to recognising the need to ensure greater protection for data privacy rights within the digital environment. It is also worth noting that the tech companies themselves appear to have played a strong role in the achievement of this more privacy-sensitive approach to law enforcement. This is hardly surprising given the impact which the Snowden revelations have had on consumer trust in the tech giants of Silicon Valley. It remains to be seen whether the pro-privacy stance being adopted in California is going to attract law-makers in the States as a whole. However, it is interesting to note that the new law in California was itself born out of a bipartisan bill, something which itself reconfirms the fact that the protection of privacy rights is an issue which transcends traditional party politics.

Anya Proops

Is it Getting Chilly in Here?

October 7th, 2015 by Christopher Knight

It has been an admirable trend of Tribunals in FOIA cases over the last few years that they have been increasingly sceptical of assertions on the part of public authorities that disclosure will provide chilling effects on their activities. An inevitable pattern forms of an insistence that the sky will fall in if information is released, information is released (or leaked), and the sky appears not to fall in. Government grinds on. But Judge Jacobs has provided a little more comfort for such arguments in DWP v Information Commissioner, Slater & Collins [2015] UKUT 535 (AAC). The case related to various risk register documents related to Universal Credit.

Before the FTT (see here) the DWP’s evidence was criticised for failing to provide any concrete evidence of ways in which this chilling effect had manifested itself across Government and noted that a different, but related, document had been leaked and had not appeared to have any chilling effect. Judge Jacobs was not impressed by this. He condemned the reasoning as sufficiently irrational to amount to an error of law because it had required evidence of something which would be very unlikely to be able to be evidenced (i.e. there wouldn’t be a paper trail of civil servants being circumspect) and because it compared the disputed information with a document it hadn’t seen (the leaked document). That error was sufficiently important to impugn the judgment as a whole, even though it was just one paragraph in a lengthy decision.

One can see the point about drawing conclusions from a document the Tribunal had not actually seen, but the other aspect of the criticism is more problematic. There might be expected to be some evidence of a chilling effect, if only by a comparison of the way in which civil servants worked before and after relevant events. Civil servants have duties to advise frankly which Tribunals have been rightly slow to conclude they would avoid complying with. The Justice Select Committee has previously found little evidence of such a chilling effect across Government (see the summary here). It is particularly difficult to see how the approach is especially consistent with that of Charles J in Department of Health v Information Commissioner & Lewis [2015] UKUT 159 (AAC), in which a Departmental tendency to indulge in a Mandy Rice-Davies approach was noted, along with a cautionary requirement for specific evidence of harm (see my commentary here). In short, the approach of Judge Jacobs is a little too close for comfort to allowing bare assertions of a nebulous chilling effect provided by a professional civil service. One must recognise the difficulties of proving a counter-factual, but whether Slater or Lewis more accurately casts the balance is a matter for some debate.

Judge Jacobs also noted that evidence will need to consider what officials ought to do as an aspect of the Tribunal’s predictive duties in relation to the actual effect of disclosure. More unusually, he also indicated a willingness (obiter) to open up the question of the trouble that can be caused by the media taking a selective approach to what it publishes and putting its own spin on that material as a relevant aspect. The ICO has long taken a clear line – applied in numerous cases by the FTT – that subsequent use and possible misrepresentation is, essentially, tough. Public authorities have to take it on the chin as part of the wider debate and can publish it with explanatory material which mitigates the risk of decontextualizing. Given the ability of people to take pretty much any sentence out of context, this would appear to be a very anti-disclosure line of reasoning of very broad scope and it will be interesting to see if it is returned to in future cases in which it matters more directly.

In the meantime, Judge Jacobs appears to have adopted the words of House Stark on the chilling effect: “Winter is Coming”.

Julian Milford appeared for the DWP and Robin Hopkins for the ICO.

Christopher Knight

Charging Ahead under the EIR

October 7th, 2015 by Christopher Knight

It is difficult to imagine what could possibly have happened yesterday to cause the CJEU’s judgment in Case C-71/14 East Sussex County Council v Information Commissioner (judgment of 6 October 2015) to slip beneath the waves, but for those who spent the day reading, talking and thinking about Safe Harbo(u)rs (presumably something to do with shipping?) East Sussex represents a comforting return to normality, if not mundanity, where the CJEU is asked straightforward questions and it doesn’t quite answer them.

The ability to impose charges for the provision of property search information is an important financial issue for many local authorities. Historically it had been thought by many that the imposition of such charges was governed by the Local Authorities (England) (Charges for Property Searches) Regulations 2008 (“CPSR”), which allow local authorities to recover all the costs of making such information available (including staff costs, overhead costs and the costs of maintaining relevant information systems). However, in recent years there has been an increasing awareness of the fact that requests for property search information to a large extent amount to requests for access to environmental information, such that they call for an application of the charging regime provided for in reg 8 of the Environmental Information Regulations 2004. The CPSR itself specifically provides that it does not apply to the provision of any information which is governed by other statutory charging regimes. Accordingly, it would seem that the CPSR is inapplicable in respect of requests for property search information insofar as those requests are made under the EIR.

Regulation 8 EIR – implementing Article 5 of Directive 2003/4/EC – allows reasonable charges to be imposed for making environmental information available, save that no charge may be imposed for permitting access to public registers or examining the requested information in situ. In East Sussex the applicant requested answers to questions in the standard property search form issued by the Law Society, the CON29R form. The Council imposed a fixed charge for providing this information, the fixed charge having been calculated on the basis of the approach provided for in the CPSR (i.e. was a charge which was intended to produce a cost neutral result for the Council). The charge itself factored in not only disbursement costs, but also staff time, a portion of the Council’s overhead costs, office costs and a portion of the costs of maintaining the information systems from which the relevant information is derived. Was this lawful? And also, was it permissible to approach the question of whether the costs were reasonable on a judicial review-type basis (which follows from reg 8(3) EIR which frames the question in terms whether the “the public authority is satisfied” that the charge was reasonable)?

To be fair to the CJEU, it provided a relatively clear answer on the first issue of what sort of costs can be recouped through charging. It emphasised that the charges must relate to the supply of the information, and that supply had to be something over and above the costs of establishing and maintaining the register/list of environmental information which had to be able to be inspected in situ for free. Any cost which relates to maintaining that database cannot be attributed to the supply: at [33]-[38]. The sort of thing which can be charged for encompasses “not only postal and photocopying costs but also the costs attributable to the time spent by the staff of the public authority concerned on answering an individual request for information, which includes the time spent on searching for the information and putting it in the form required. Such costs do not arise from the establishment and maintenance of registers and lists of environmental information held and facilities for the examination of that information“: at [39]. Staff costs/overheads which are actually attributable to the supply (as opposed to database maintenance) are recoverable in the application of ordinary accounting principles: at [41].

Any charge must still not exceed a reasonable amount, not least because there should not be a deterrent effect on those wishing to exercise their right of access to environmental information, applying Case C-217/97 Commission v Germany [1999] ECR I-5087. In assessing whether such an effect would result, and the charge is unreasonable, the Tribunal must consider both an objective analysis of the situation and the subjective financial position of the requestor: at [43]. The point of this is, of course, to ensure that a charge is not waved through simply because the requestor happens to be rich or well-funded when it would plainly deter others, and nor should the Court be taken to be approving requestor-specific variable charges. Although the Court did not finally determine the matter, it gave a clear indication at [44] that costs of £1-£4.50 were unlikely to fall foul of the reasonableness requirement, particularly given a reduction would be required to ensure the charges complied with the Court’s interpretation of what charges could be recovered in the first place.

More abstractly, the CJEU also considered the nature of the review process applied under reg 8(3), which has been interpreted to be restricted to judicial review principles. This the Court does not quite answer. It reiterates the unsurprising principle that the review must comply with the principles of equivalence and effectiveness, that JR which does not involve a full factual assessment is not necessarily problematic for EU law (at [58]; which is entirely consistent with the flexible nature of English JR principles in any event: R (A) v Croydon LBC [2009] UKSC 8; [2009] 1 WLR 2557), but that the assessment of whether charges are actually for supplying and whether they are reasonable are questions of EU law which must be capable of review on the basis of objective elements: at [58]-[59].

No need then to rip up reg 8 EIR, but some finessing on the part of local authorities will probably be needed as to their charging schemes, and Tribunals will need to be willing to engage a little more closely with those charging decisions on appeal. As Radiohead would say, “no surprises”. And they would. Panopticon has it on good (/made up) authority that Radiohead are very interested in charging decisions, lobbying strongly for a ‘pay what you want’ approach not only to albums but also to environmental information. Maybe next time lads.

Anya Proops appeared for the ICO.

Christopher Knight

Safe Harbour dead in the water…whilst data protection takes to the skies

October 6th, 2015 by Anya Proops

So there we have it. Data protection, once the preserve of tragic anoraks with too much time on their hands, has now firmly taken up its place as a glittering star within the European legal firmament. For who now, in the wake of the Schrems judgment, can doubt the global political and economic significance of the data protection regime, as embodied first and foremost in EU Directive 95/46/EC.

But let us begin by examining why the Schrems judgment in particular has launched data protection into the legal stratosphere. Well let’s start with the fact that it is not every day that a judgment issued by the Court of Justice of the European Union effectively finds that a world super-power has breached fundamental human rights by engaging in a campaign of mass surveillance within its own borders (see paras. 90-98). Then there’s the realisation that the Court has been prepared to deploy those findings so as to attack the validity of a European Commission decision which has shaped the approach which businesses within the EU and the US have taken to EU-US data sharing for the past fifteen years (see para. 104). Then it starts to sink in that the Court’s conclusion that that decision is invalid is inevitably going to destabilise data-sharing arrangements adopted by businesses across the EU, not to mention the US. So what starts as a hugely politically significant judgment turns into a judgment with vast commercial implications (and I am not just talking about the Facebooks of this world because it is clear that the judgment affects all business which transfer data into the US). What is all the more astonishing about the judgment is that it represents a remarkable willingness on the part of the Court to usurp an ongoing political process which is itself designed to achieve a consensus on lawful EU-US data sharing (see further the European Commission’s continuing efforts to negotiate with the US authorities on how to address deficiencies in the Safe Harbour regime).

But then again should any of this really come as any surprise? After all, this is not the first time that the Court has boldly used EU data protection legislation as a means of reshaping key socio-political paradigms. First, it was the internet which was subject to a substantial sea-change as a result of the Court’s recognition that a right to be forgotten could be asserted against search engines (as in Google Spain). Then we saw the Court using data protection legislation in effect so as to inhibit EU Member State surveillance programmes (as in Digital Rights Ireland). Now it is the wider corporate world which is feeling the full force of the behemoth that is EU data protection legislation as data-sharing arrangements across the EU-US piste potentially unravel in the face of the Court’s judgment (see further the ICO’s recent statement on the judgment and its implications for businesses here).

The important question which has yet to be answered is whether the Court’s seemingly relentless march to affirm the primacy of data privacy rights within and indeed beyond the borders of the EU may ultimately itself produce wholly disproportionate and indeed politically untenable results. However, one thing is for sure: the data protection super nova will continue to attract our gaze for some time to come.

Anya Proops


Safe Harbor Dead in Water

October 6th, 2015 by Christopher Knight

To no-one’s very great surprise following the Opinion of AG Bot, the CJEU has today declared the Commission’s Safe Harbor Decision invalid in Case C-362/14 Schrems, with all the consternation that that causes to inter-state trade between the US and the EU.

Fuller commentary when the judgment is available later but it tops off a bad week for data controllers.

Christopher Knight

Bara and Weltimmo: First Thoughts on Second Sight

October 5th, 2015 by Christopher Knight

Now the immediate dust has settled on last weeks’ judgments of the CJEU in Bara and in Weltimmo it is perhaps briefly revisiting both to note some of the real issues and questions which arise. Answers are harder to come by, but the theme is of a rigid approach by the Court to Directive 95/46/EC which squeezes data controllers until the regulatory pips squeak. The impact of both judgments, not to mention the forthcoming Schrems, could be really significant and, frankly, counter-productive in terms of encouraging the free movement of goods and services. Free movement of data is not a Treaty right, and there are obvious needs to place limits and protections on personal data, but whether the CJEU is adopting an approach which gives businesses sufficient room for practical manoeuvre is another matter.

Some thoughts then on a re-reading of both judgments:


  • Although the context was transfers between public authorities, the principle is not so limited. Any transfer of data to a third party which does not already have express consent will be at risk of unfair processing.
  • Just because the two parties to the transfer agree it, and may be obliged to do it (contractually, say), that does not mean the data subject has approved it. Because both making and taking the transfer are acts of processing both data controllers need to have notified the data subject. That is onerous and easy to overlook.
  • Not only does the data subject need to have agreed the transfer, they need to know why the transfer is happening (i.e. the purpose). This is much more information being provided to the data subject than one usually sees.
  • None of this is any different from the principle adopted in Optical Express; if someone fills in a travel survey with Thomas Cook and aren’t told that their data will be sold to another company who will send them laser eye surgery texts, how can they make an informed choice about what they want to object to? This is essentially the point Bara makes.
  • But does anyone actually send DP notices to data subjects? Not, one suspects, very many. Certainly not as many as should do so.
  • That also plays into compliance with the third and fourth data protection principles. If your data isn’t up to date, you cannot properly notify the data subjects (DPP4). If you have harvested and kept excessive amounts of data, you have to spend an unnecessary amount of time and money on notifications (DPP3).


  • Weltimmo has a more obvious immediate impact. You don’t get to situate yourself in one (doubtless the most regulatorily convenient) jurisdiction and ignore the regulators in all other Member States if you are targeting your online business to those other States. They can all come after you, and even if they can’t, they can get your home regulator to do so.
  • This is a major move away from a one-stop shop system of DP regulation, whilst implying a pan-European consistency that isn’t really there on the ground. The variations in the application of Google Spain is a good example of just how far apart the national regulators can be.
  • On any interpretation of the judgment, the outcome is not one which multi-national companies will have expected or wanted. Major online businesses face the prospect of being subject in every detail to regulators of every Member State. Nor can they ignore judgments in cases against them in more tangential parts of the business empire because under the Brussels I regime a civil judgment in one Member State is enforceable in any other.
  • How one gets around Weltimmo is going to be tricky to work out. Will it be enough to have a website in English targeting English customers, but not to have any physical presence in England? What about no employees but an English bank account? Essentially, are the factors listed by the CJEU cumulative or distinct (given the need for only a “minimal” activity)?
  • Private international lawyers will struggle to classify Article 4 slightly. Is it a jurisdiction issue or a choice of law issue? The CJEU states a conclusion in terms of an applicable law, whilst considering factors which are classically jurisdictional. In reality, it is probably both. The question of where an establishment is to be located is a jurisdictional one, although which law applies to that issue is probably an odd combination of the lex fori and sui generis European concepts as set out in Weltimmo. But once establishment has been, well, established, then that determines the choice of law: it is the law of the place of the establishment. It is just that there may be more than one establishment (i.e. at least Slovakia and Hungary) and therefore more than one applicable law. This is not very doctrinally coherent, particularly when one moves to trying to work out the jurisdictional competence of a court, and then the applicable law, of a private claim for breach of the implementing legislation. How are they meant to match up? Indeed, are they? Is Article 4 entirely divorced from Brussels I? (It might be for the actions of regulators, which would be engaging in administrative activities and outside the scope of Brussels I, but Article 4 applies to actions taken by the data subject too. Is it meant to be a self-contained code? Unclear.)

The fact that answers do not readily appear to all of these issues may itself be a troubling indicator of a lack of wider and/or deeper thought by the CJEU as to how its judgments will actually work in practice. Doubtless some will be worked through in time. But much of this is far too important to real people doing real things to be left to iron itself out over the next five years. Still waters may run deep, but it is the murky ones you drown in.

Christopher Knight

What can journalists report about private court proceedings they attend? Trying to sort out the mess

October 5th, 2015 by Paul Greatorex

Former rock ‘n’ roll star Liam Gallagher and former pop star Nicole Appleton were married with children and seemed rock steady as a couple but sadly are now getting divorced and left wondering “where did it all go wrong?”  Whatever, some might say, stop crying your heart out about water under the bridge and just roll with it – this is a serious blog whose readers would never ever expect to find stories about celebrity gossip, still less a list of Oasis and All Saints song titles masquerading as a post about information law.

But don’t go away, because the judgment of of Mostyn J in Appleton v Gallagher [2015] EWHC 2689 (Fam) is an interesting one about the very important issue of what the press can report about private court proceedings.  Little by little, closed family proceedings are opening up: changes to the Family Procedure Rules made in 2009 permitted journalists to attend private court hearings in the Family Division.  The court can make an order excluding them, but only after considering lesser measures such as a reporting restriction order.

In the present case, journalists from the Sun and other newspapers (possibly including the Hindu Times, the judgment does not say) wanted to attend and report on Mr Gallagher and Ms Appleton’s ancillary relief proceedings; Mr G and Ms A wanted to have the press excluded.  For procedural reasons it fell to Mostyn J to decide whether reporting restrictions should be imposed before a separate judge decided whether the press should be excluded altogether.

Confused?  According to Mostyn J at [6], it is an understatement to say that the law in this area is a mess.

As the judge said at at [9], although section 12 of the Administration of Justice Act 1960 explicitly provides that the reporting of proceedings held in private (except for those which wholly or mainly concern children) is not a contempt of court, such reporting is nonetheless prohibited as a result the implied undertaking that attaches to disclosed information.  In the context of private ancillary relief proceedings where there is an obligation to make full and frank disclosure of all financial information that goes far wider than the duty of disclosure in an ordinary civil dispute, the courts have been particularly strict in enforcing this.  As stated by Thorpe LJ in Clibbery v Allen (No 2)[2002] EWCA Civ45, “all the evidence (whether written, oral or disclosed documents) and all the pronouncements of the court are prohibited from reporting and from ulterior use unless derived from any part of the proceedings conducted in open court or otherwise released by the judge.”

The submission on behalf of the press (described by Mostyn J as “very bold”) was that this position is now different as a result of the 2009 rule change.  Mostyn J rejected this saying the purpose of this “was to enable the world to understand how children proceedings, especially public law care proceedings, were conducted”, and referred to what was said in Re Child X (Residence & Contact – Rights of Media Attendance) [2009] EWHC 1728 (Fam) about it enabling the media to exercise a role as “watchdog” on the part of the public at large.  It was not, however, “intended to abrogate [the] core privacy provided by the implied undertaking and the hearing of the proceedings in chambers”, a privacy which he said has been “maintained and endorsed” by Parliament.

In the alternative, the judge said that even if the matter was one of an ordinary balancing exercise, this came down in favour of not allowing reporting, highlighting: (a) the fact that neither party had sought to “yoke the press to his or her cause” or spoken about the divorce and (b) press comments thus far had been limited and there had not been extensive inaccurate speculation.

Some might say [you’ve done this one already – Ed] this judgment will surely be overtaken soon by a comprehensive reconsideration of the law by the Court of Appeal, something urged by Mostyn J at the conclusion of his judgment when he granted permission to appeal.  As such, it remains to be seen whether this judgment will live forever or just slide away [That’s enough – Ed.].

Paul Greatorex


Share and Share Alike – Childhood Lessons Not Approved by CJEU

October 1st, 2015 by Christopher Knight

Back in July I posted on the Opinion of the AG in Case C-201/14 Bara v Presedintele Casei Nationala de Asigurari de Sanatate and the CJEU has now handed down its judgment, happily for me in English. The context is that people deriving their income from independent activities were called to pay their contributions to the Romanian National Fund for health insurance, following a tax notice issued by the Romanian health insurance fund. However, that tax notice was calculated on the basis of data on income provided National Tax Administration Agency under an internal administrative protocol. The complaint was that the transfer by the Tax Agency to the Health Insurance Fund of personal data, particularly related to income, was in breach of Directive 95/46/EC because no consent had been provided to the transfer, the data subjects had not been informed of the transfer and the transfer was not for the same purpose as the data was originally supplied.

The CJEU has dealt with the matter in pretty unambiguous terms. Such data sharing was a breach of Article 6 of the Directive, which requires processing to be fair and lawful, because data subjects were not informed of the transfer to another public body or the purpose for the transfer: at [34]. It was a breach of Article 10, which requires the data subject to be provided with information concerning the identity of the controller and the purposes of processing, because no such information had been provided, and the derogations in Article 13 had to be done through legislative measures, whilst the Romanian public bodies simply did it by way of a protocol: at [38] and [41]. Moreover, it was a breach of Article 11, which requires a controller who has not obtained the data from the subject itself to inform the data subject of its identity and the purposes of processing, because neither of the public authorities had told data subjects anything at all: at [43].

All in all, your mother was wrong. Do not share things. Or at least, do not share personal data without providing very clear information to the data subject about what is happening and why. It doesn’t matter if you are a public authority. Go to bed without any supper.

Christopher Knight

Cross-Border Data Protection in the Internet Age

October 1st, 2015 by Christopher Knight

One of the great difficulties facing data protection lawyers is how Directive 95/46/EC copes with the internet age. How do you work out where processing has happened? How do you work out who is responsible? Where can you sue them or otherwise take action against them? What law applies (important given that the Directive has been implemented in different ways in different Member States)?

Article 4 provides some of the answer:

1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

(b) the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law;

(c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

2. In the circumstances referred to in paragraph 1 (c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself.”

The decision of the CJEU Google Spain gave some consideration to these matters, but while it certainly established that one could pursue Google through it having a presence in a Member State, it did not really deal with the smaller fry.

However, the CJEU’s decision today in Case C-230/14 Weltimmo v Nemzeti (judgment of 1 October 2015) provides a bit more clarification. Weltimmo (as Anya’s post on the AG’s Opinion has previously discussed) is a company registered in Slovakia, but which the Hungarian data protection authority wished to fine for breaches of the Directive. Those breaches related to the activities of property dealing websites Weltimmo ran which advertised properties in Hungary and revealed various items of personal data of the property owners. What factors were relevant in working out whether Weltimmo was established in Hungary under Article 4?

Article 4, stressed the Court, was the key to determining the national law applicable: at [23]. The Directive had prescribed a broad territorial scope (see Google Spain): at [27]. In the particular context of the internet, said the Court without particularly expressing why there should be different tests for different types of business, when working out whether Weltimmo was also established in a State where it was not registered, one had consider “both the degree of stability of the arrangements and the effective exercise of the activities” in the light of “the specific nature of the economic activities” concerned: at [29]. (No mention of where there was not a clear economic activity.) An establishment can be shown by “any real and effective activity – even a minimal one – exercised through stable arrangements“: at [31].

What is relevant then? The presence of just one representative can be sufficient if acting with a sufficient degree of stability through the presence of the necessary equipment for the provision of the services (i.e. not necessarily where the servers are): at [30]. Running a website about properties in Hungary, written in Hungarian, which charges advertising fees constituted a real and effective activity in Hungary: at [32]. The presence of a representative in Hungary, who acts as a point of contact with the Slovak company and the data subjects, and a Hungarian bank account, and a Hungarian letter box for the business, were all capable of showing an establishment: at [33]. What is not relevant is the nationality of the data subjects: at [40] (which is consistent with the classic approach to jurisdiction under the Brussels I regime). The processing itself must take place in the context of the activities in Hungary, but the Court had no difficulty with that: at [38]. As a result, Hungarian law applied to Weltimmo: at [39].

This was all fact-specific of course, but it does give some fairly extensive guidance, and certainly indicates that any website aimed at a particular jurisdiction, plus some sort of physical presence of some sort, will be sufficient to amount to an establishment. Company registration elsewhere will not be an escape route.

There was also a second issue, which was technically obiter, about when a national regulator can take action against a data controller who may be subject to foreign laws. The CJEU strongly emphasised that it was the obligation of the regulator under Article 28 to take action within its own territory and to investigate every complaint made to it, irrespective of the applicable law: at [54]. What it cannot do, of course, is try to fine a controller not established in its own State: at [56]. So, if having investigated, the regulator reaches the conclusion that the controller is established elsewhere and subject to a foreign legal regime, it must ask the relevant national regulator to take over the case and impose any penalty based, in part, on the information provided between regulators: at [57]. Cross-border regulation might not yet be at a one-stop shop level, but it is meant to have teeth.

Weltimmo is a genuinely important decision and provides some very helpful guidance. By no means does it answer all of the questions, particularly outside of the internet, and it does not come close to the beginning of the end. But perhaps, following Google Spain, it is the end of the beginning.

Christopher Knight