Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

The slow death of EU forum shopping

By Nick Graham
August 12, 2015
  • Europe
Share on Facebook Share on Twitter Share via email Share on LinkedIn

Forum shopping (i.e. where businesses pick and choose the most privacy-friendly EU state to set up shop) has always been a somewhat unique side effect of EU data privacy law. Then last year saw the Google Spain case where the European Court of Justice said that if a global organisation has a sales and marketing office in an EU country, it must follow the laws of that particular country. Now we have a regulator in Germany applying the Google Spain principle to another tech giant: Facebook.

You may have seen in the press recently that Facebook has a “real name policy”. In fact, it changes users’ fake user names to real ones or blocks them. The Hamburg Data Protection Authority (DPA) has taken issue with this. It says that Facebook is violating an individual’s rights to “informational self-determination” under the German Telemedia Act. Facebook maintains that since its EU headquarters are in Ireland, it is subject to Irish, not German (or any other EU), data protection law. The Hamburg DPA has decided to fight this. It cited Google Spain and argued that because Facebook is economically active in Hamburg (i.e. has an office there), it has to abide by German law. In the DPA’s words: “Facebook cannot again argue that only Irish data protection law would be applicable. Anyone who stands on our pitch also has to play our game”.

However, the territorial test for application of data protection law under the current Directive is based on local establishment and use of equipment. Specifically, if a company is established in a jurisdiction it has to comply with local DP law. If it isn’t (but is established in Ireland) then Irish DP law applies. So in 2013 the Administrative Court of Schleswig-Holstein in Germany held that Facebook was subject to Irish and not German DP law, since the processing of personal data occurred in Ireland rather than Germany. (The Court did not come to a decision as to whether Facebook had infringed any German DP laws.) The Google Spain decision is re-interpreting the rules here.

It will be interesting to see how this all plays out, especially with the EU Data Protection Regulation now in its final stages of negotiation and the debate around whether the “one-stop shop” mechanism will finally put an end to forum shopping. To be continued…

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Nick Graham

About Nick Graham

Nick Graham is the Global Co-Chair of Dentons' Privacy and Cybersecurity Group. He specialises in data privacy, cybersecurity, information governance. Nick advises across all sectors including retail, telecoms, energy, manufacturing, banking, insurance, transport, technology and digital media.

All posts Full bio

RELATED POSTS

  • Europe
  • General

Stretching the boundaries through artificial intelligence: the European proposal for a dedicated regulation. The protection of personal data.

By Giangiacomo Olivi
  • Europe

Article 29 WP response to “Privacy Shield”

By Nick Graham
  • Europe
  • New and Proposed Laws

New guidance from the Polish DPA: a warning for all Safe Habor (ex)participants

By Dariusz Czuchaj

About Dentons

Across over 80 countries, Dentons helps you grow, protect, operate and finance your organization by providing uniquely global and deeply local legal solutions. Polycentric, purpose-driven and committed to inclusion, diversity, equity and sustainability, we focus on what matters most to you. www.dentons.com

Grow, Protect, Operate, Finance. Dentons, the law firm of the future is here. Copyright 2023 Dentons. Dentons is a global legal practice providing client services worldwide through its member firms and affiliates. Please see dentons.com for Legal notices.

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo in black and white

© 2023 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site