The end of the Safe Harbor regime: time for structural separation of personal data?

Posted on Updated on


The Court of Justice of the European Union (CJEU) declared invalid the so-called Safe Harbor decision of April 26, 2000 of the European Commission which allowed US platforms and OTTs such as Facebook, Amazon, Google and others to transfer and gather in the United States personal data of European citizens (Case C-362/14 Maximillian Schrems vs Data Protection Commissioner). The text of the judgment can be found here.

The judgment of the EU Court will have various fundamental consequences on the business of the US OTTs in Europe. In particular, the transfer and treatment of personal data of European citizens into US risk to become permanently uncertain and unfit for a proper online business based on profiling and online ads. My first thoughts on this:

  • a new Safe Harbor decision will not solve the problems. The CJEU confirmed that national supervisory authorities remain competent to examine whether the transfer of individuals data to third countries complies with the requirements requested by the directive on data protection (Directive 95/46). This will make it for a very different business environment for US based platforms and OTTs in the EU; as a matter of fact, such companies from now on will be running the risk of having individuals challenging the way their data are processed in the US. Additionally, since most of US OTTs are based in Ireland, the Irish data protection authority will have to manage an enormous, unexpected, and maybe uncalled for, power over the entire US online business;
  • in any case, it would be difficult to reach and enforce a new Safe Harbor decision. The CJEU clearly stated that the current way the US process personal data is not acceptable, because there are no guarantees as, nor limitations, to the potential interference by US investigation authorities, in particular as to security and anti-terrorism reasons. However, in a joint declaration, Vice-President Timmermans and Commissioner Jourová optimistically declared that “we will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic“;
  • therefore, it seems that the only solution will be for US OTTs to store data in the EU, rather than in the US, if they want to continue to carry out business in the EU. This means they will have to create new and separate data processing centers in the US and the EU respectively. It will be a kind of structural separation for personal data;
  • for some OTTs this forced structural separation of personal data will be a disaster, since their business, based of profiling for advertising and marketing, will become much less interesting if data could not be compared and profiled all together.
  • to overcome this issue, an enormous political effort should be done between US and EU. In particular the US should accept to discuss, and comply with, the data protection standards as indicated by the European Court. However, this is very unlikely to happen in the short term.

In the short term, US OTTs will continue to carry on their business, since the transfer of data to third countries may happen (art. 26 of the Data Protection Directive) also via other alternative means, such as with the consent of interested parties, the application of the so-called Binding Corporate Rules or the use of standard contractual clauses. However, such instruments do not constitute a viable, long-term solution in the present circumstances, since the judgement clearly applies, as far as mass surveillance is concerned, to any alternative transfer methods. In other words, the CJEU has not argued only under the Safe Harbor decision, but has based the judgement on fundamental rights that apply no matter which transfer methods are used.

Search engines, right to be forgotten and data protection: regulating Google?

Posted on Updated on



A new decision of the Court of justice of the European Union (case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos) raises very interesting points with regard to the application of data protection rules (namely Directive 95/46/EC) to search engines. The PR of the court is here.

The facts

The case started with a series of complaints filed with the Spanish Data Protection Agency (AEPD). A specific claim concerned some information, published on the popular newspapers La Vanguardia, reporting financial difficulties of the claimant (the sale of some estates). The claimant wished such information to disappear from the web, because the financial difficulties had been solved, and therefore he asked the newspaper to remove it and Google to disable the links when googling his name. Remarkably, the case against the newspaper was lost, because AEPD found that such information were true and lawful and therefore one could interfere with the freedom of the newspaper. By contrast, AEPD upheld the complaint against Google and its Spanish subsidiary, Google Spain, calling the dominant search engine to take the necessary measures to withdraw the data from their index and to render future access to the information impossible via their search engine. Google and Google Spain appealed against that decision before the Spanish courts and the case was then submitted to the CJEU in Luxembourg.

The application of European data protection rules to Google and, in general, to extra-EU Internet operators

According to the European judges, a search engine is subject to European data protection rules even if it is establihed outside the EU, provided that the relevant business is directed to European users. Therefore, the simple circumstance that headquarters, main establishment, servers, ecc of a search engine are located abroad, in an extra-european country, is not a reason to skip the European jurisdiction. The European Court held, in this regard, that where personal data are processed to promote and sell in a given Member State (such as Spain, in the case at stake) advertising space offered by the search engine in order to make a revenue, then European rules apply. This conclusion is not surprising, however one should note that the technical details of the case (i.e. the fact that the technogical establishment of the data processing are located in the US) had been invoked by Google to dismiss the European/Spanish jurisdiction. Google normally maintains that its search engine business is run by Google Inc., based in California, and then it is subject only to US data protection legislation. In the case at stake, it argued that Google Spain is only responsible for selling advertising on US Google and has no role in the operation of the search engine itself. However, AEPD pointed out that Google Inc. indexes Spanish websites using crawlers and robots and uses a Spanish domain name. Moreover the centre of gravity of the litigation was in Spain, concerning information published on a Spanish website, in Spanish language, about Spanish residents.

Remarkably, the issue of the European jurisdiction over Google Inc. had been already debated in a similar case fought in Italy about data protection and minors protection (the famous Vividown case). There the national courts reached similar conclusions (although the finally lost in the merits of the case): the national laws apply to Google because of the territorial target and effects of its business activity. Today’s CJEU’s decision confirms this approach.

The search engine and the right to be forgotten: an attempt to regulate Google?

The merits of the case is more intriguing and rise some legitimate questions. As stated above, the personal data as stake were lawfully published on Spanish newspapers and have not been removed from there. Therefore, one should wonder why the right to be forgotten rule should be applied only to Google, with respect to data stored in servers outside its control. Google respectfully invoked the intermediary liability set forth by the Electronic commerce Directive (directive 2000731/EC). The CJEU, by contrast, took another view:

… the Court holds that the operator is, in certain circumstances, obliged to remove links to web pages that are published by third parties and contain information relating to a person from the list of results displayed following a search made on the basis of that person’s name. The Court makes it clear that such an obligation may also exist in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.

Thus, the court refers to “certain circumstances” which must considered by the search engine, or eventually by the national judge in case of disagreement, on the basis of a balance evaluation between the data subject’s rights and those of other internet users with legitimate interests in finding information.

The decision sounds a bit political. The CJEU seems to suggest that in the current Internet ecosystem search engines counts much more than the source of the data:

“….Given the ease with which information published on a website can be replicated on other sites and the fact that the persons responsible for its publication are not always subject to European Union legislation, effective and complete protection of data users could not be achieved if the latter had to obtain first or in parallel the erasure of the information relating to them from the publishers of websites

According to the European court, without the indexing and searching activity of Google, such data continue to exist but they are substantially not accessible, thus they are like non-existing. One should wonder whether this conclusion is driven by the fact that Google is the dominant operator in the online search sector. In a very competitive search market, i.e. with a plurality of search engines, the only workable solution would be to remove the information directly at the source. However, in the current markets structure, dominated by Google, the decision of the CJEU seems to be driven by a practical opportunism rather than by a solid legal reasoning.

The interferences with other frameworks

We will continue to talk about this sentence, because it may originates consequences which have not been fully considered by the court. The assumption that a search engine, as in the case of Google in the present case, must be seen as a data controller, opens the doors to large consequences for a wider range of operators, not only search engines. The impact on the Electronic commerce Directive (2000/31/EC) should be also analyzed as well as the regime of ISP liability: was Google acting as a caching, hosting operator, or what else? In addition, the idea that intervening upon indexing rather than removing a content at the source also appears problematic from technological point of view.

In any case, the finding of the CJEU (you may like it or not; I do not like it so much) is remarkable and may be seen as the recognition of the paramount position achieved by search engines, and in particular by Google, in the Internet. Without the search activity as developed until now, information and data disseminated in the Internet have little importance because they cannot be easily found: “I am indexed, then I exist“. The existence of individuals’ data in the Internet is the result of the capability to be reached by third parties, and search engines (Google in particular) enable, and somehow control, such capability.


Malmström frena sulla data retention

Posted on Updated on


La normativa europea sulla data retention verrà aggiornata, ma senza fretta.

AGGIORNAMENTO 11 DICEMBRE 2014: come è noto, la direttiva data retention è stata annullata nel aprile 2014, dando luogo a reazioni sparse tra i vari Stati membri dell’Unione Europea. La revisione della direttiva privacy 95/46 è ancora in mezzo al guado. nel frattempo, in data 11 dicembre 2014 la Corte di giustizia dell’Unione Europea ha emesso una sentenza (sentenza nella causa C-212/13 František Ryneš / Úřad pro ochranu osobních údajůche) pone dei limiti all’utilizzo della video-sorveglianza in luoghi pubblici, ponendo così problemi ai detentori di telecamere che sono del tutto equiparati a responsabili del trattamento (per tutte le immagini riprese sulla pubblica via).

Il Commissario europeo per gli Home Affairs, la svedese Cecilia Malmström, ha annunciato ieri, durante un’audizione formale presso il Parlamento Europeo, che la revisione della direttiva 2006/24/EC sulla data retention si farà, ma con calma. La ragione di questo ritardo sarebbe dovuta in gran parte al contemporaneo processo di revisione della Direttiva Data Protection (Direttiva 95/46/EC), il cui esame presso il Parlamento Europeo è iniziato da pochi mesi. Data retention e data protection sono infatti materie strettamente interconnesse: mentre la prima regola le modalità ed i limiti, anche temporali, attraverso i quali gli operatori di telecomunicazioni devono conservare i dati di traffico dei propri utenti (assieme ad altri dati di natura personale), la seconda concerne la protezione tout-court dei dati personali. L’interdipendenza reciproca è quindi evidente: le scelte fatte in tema di data protection, in particolare il bilanciamento di interessi tra i diritti individuali e quelli di carattere economico o generale, sono destinate ad influire sulla disciplina della data retention, dove occorre decidere fino a che punto gli individui dovrebbero tollerare che i loro dati personali vengano conservati presso i servers degli ISP per fini di giustizia (in genere, per permettere investigazioni dell’autorità giudiziaria).

Il commissario Malmström non ha indicato un timetable preciso, tuttavia tutto lascia pensare che non si inizierà prima del 2014 (visti i tempi di revisione della direttiva data protection, che si preannunciano lunghi, incerti e combattuti).

Il settore degli ISP e delle telcos gioisce a metà. La disciplina della data retention è normalmente mal supportata dall’industria perchè comporta spese, responsabilità e complessità da parte degli operatori, che devono predisporre sistemi informatici considerevoli per venire incontro alle istanze delle autorità di pubblica sicurezza. Per di più, l’efficacia di tale strumento è stata spesso contestata, quanto meno nella sua ampiezza (dati statistici indicano che l’utilità dei dati conservati, per fini di giustizia, diventa praticamente nulla dopo 3 mesi: purtuttavia molti Stati europei insistono nel richiedere la conservazione fino a 24 mesi). Infine, vi sono i cittadini, che possono rivalersi verso gli ISP qualora i loro dati personali siano  oggetto di accessi indesiderati o illeciti, il che è fonte di responsabilità e conflittualità.

Qualcuno sperava che la Commissione potesse annunciare una scelta radicale, quella cioè di abolire tout-court la direttiva data retention, ma così non è stato. Tuttavia, i tempi lunghi della revisione comportano che eventuali inasprimenti della nuova normativa tarderanno ad arrivare, e saranno comunque oggetto di lunghe battaglie. Si allontana, però, anche la possibilità di un rimborso per gli investimenti sostenuti per predisporre le necessarie apparecchiature informatiche. Il Commissario Malmström aveva lasciato intravedere aperture su questo tema che sta molto a cuore agli ISP, ma ora se ne riparlerà alle calende greche.

Per completezza di informazione, la direttiva 2006/24/EC in Italia è stata recepita con il Decreto Legislativo 2008/109, che ha modificato il codice della privacy, in particolare l’articolo 132. In altri paesi la trasposizione è stata particolarmente travagliata. Belgio e Germania non l’hanno trasposta per niente, in Germania perchè la Corte costituzionale di Karlsruhe l’ha ritenuta contraria alla Costituzione tedesca. Il che non ha impedito alla Commissione Europea di portare proprio la Germania di fronte alla Corte europea di giustizia per mancata trasposizione della direttiva. In Irlanda un giudice locale ha contestato la legittimità della direttiva e ne ha richiesto l’esame alla Corte europea di giustizia. In Repubblica Ceca, come in Germania, la Corte Costituzionale ha dichiarato la direttiva illegittima. Azioni contro la direttiva sono state lanciate anche in Slovacchia.


Per finire, un po’ di musica di Inno.

Il Parlamento Europeo fissa il calendario per la riforma della privacy

Posted on Updated on


Il relatore del Parlamento Europeo per la riforma della direttiva data protection, il verde Jan Philipp Albrecht, ha reso noto il calendario dei lavori dell’assemblea sul dossier in questione. Si inizierà il 29 maggio 2012 con un workshop pubblico, che sarà seguito da vari altri incontri con Commissione europea e stakeholders. La parte rilevante della procedura inizierà però dopo l’estate, con l’adozione del report (cioè la posizione del relatore rispetto alla proposta della Commissione) e i relativi emendamenti. La posizione del Parlamento dovrà poi trovare l’accordo del Consiglio. Il relatore Albrecht si aspetta conclusione dell’intera procedura, con l’approvazione da parte del Parlamento europeo in seduta plenaria, per gli inizi del 2014. Tempi lunghi, dunque.

Il calendario dei lavori si può trovare qui:

Nuova scarica di pallettoni su ACTA (stavolta dal Garante Europeo Privacy)

Posted on Updated on


Ormai tutti prendono le distanze da ACTA, come se fosse la peste. Dopo vari governi che non intendono ratificare il trattato, con sempre più frequenti distinguo all’interno della Commissione Europea, ed in più la chiara opposizione di molti membri del Parlamento Europeo, ora anche il Garante Europeo per la Protezione dei Dati Personali (EDPS) ha annunciato una posizione estremamente critica.

Con un parere emesso proprio oggi, il garante europeo ha stigmatizzato molti aspetti del trattato ACTA che violerebbero diritti fondamentali dell’individuo, il diritto alla privacy nonchè l’acquis comunitario in materia di enforcement dei diritti di proprietà intellettuale. In altre parole, il garante europeo è andato ben oltre le sue stesse competenze in materia di protezione dei dati personali ed ha espresso un parere più ampiamente critico. Si tratta di una posizione prodromica ad una possibile condanna da parte della Corte di Giustizia dell’Unione Europea, cui la Commissione Europea si è rivolta per avere un parere.

Aggiornamento 4 luglio 2102: alla fine, il Parlamento europeo ha definitivamente negato l’autorizzazione alla ratifica di ACTA. Qui un mio commento sulla bocciatura.