By Dennis Holmes
Westin Research Fellow

In two European cases making headlines this week, U.S. online powerhouses successfully claimed European data protection regulators lacked jurisdiction to regulate their activity. One case involved the ongoing dispute between Facebook and the data protection authority (DPA) for the German state of Schleswig-Holstein. A German court overturned an order by the Schleswig-Holstein DPA requiring German companies to deactivate their Facebook fan pages, holding that German companies had no effective control over the data hosted by Facebook, whose European base is in Ireland. The other case involved Netflix, which was exempted from enforcement by the Dutch DPA on account of its European establishment being in Luxembourg.

These cases join a long line of disputes pitting global online companies against national privacy regulators and raising to the fore the thorny questions of personal jurisdiction and applicable law on the Internet. Google is involved in several such cases, disputing jurisdiction of UK courts in a matter involving alleged circumvention of Safari privacy settings; and claiming the Spanish DPA lacks competence to regulate its global online search engine activities.

Where is the online “there”?

The Internet has disrupted traditional notions of applicable law and jurisdiction. Individuals and companies can now become subject to the law of a foreign country even without a physical presence.

The Internet has disrupted traditional notions of applicable law and jurisdiction. Individuals and companies can now become subject to the law of a foreign country even without a physical presence. Under Article 4(1)(a) of the European Data Protection Directive (DPD), European law applies where “the processing [of personal data] is carried out in the context of the activities of an establishment of the controller on the territory of the Member State”. Alternatively, under Article 4(1)(c) of the DPD, European law applies even in the absence of a European establishment, if—for the processing of personal data—the controller “makes use of equipment … situated on the territory of that Member State”.

With respect to U.S.-based online companies, the questions consistently raised are whether (and where) such companies are “established” in the EU; whether their processing of personal data takes place “in the context of the activities of an establishment” in a Member State; and—if the answer to these questions is negative—whether they “make use of equipment” situated in the EU.

The “use of equipment” test is compounded by the fact that, on the one hand, European DPAs have interpreted it broadly, deeming the dropping of a cookie on an EU user’s web browser “use of equipment” in the EU; and on the other hand, they have warned against jurisdictional overextension resulting in “undesirable consequences, such as a possible universal application of EU law.” To address the legal complexity, U.S. companies are deploying different legal strategies, with Google typically disputing EU jurisdiction, arguing that it is established in the U.S., while Facebook concedes European jurisdiction but argues that it is established in Ireland and should therefore litigate and be regulated there, as opposed to in other member states.

Two impending developments are likely to help clarify the legal situation. The first is the European Court of Justice (“ECJ”) case pitting Google against the Spanish DPA (AEPD). The second is the slow but steady advancement in Brussels of the General Data Protection Regulation (GDPR), which is set to replace the DPD. 

The ECJ Case: Google v. AEPD

A case currently pending before the ECJ involves a request by a Spanish individual to have Google delete search results presenting him in a negative light, despite those results pointing to accurate, publicly available information. The AEPD ordered Google to remove the data. Google challenged the order arguing that AEPD lacks jurisdiction over its search operation, which is based in the U.S. The Spanish High Court referred the jurisdictional question (along with additional issues) to the ECJ.

While the ECJ has yet to issue a formal decision, the Advocate General (AG) has issued an advisory opinion addressing the jurisdiction issue. The AG noted that Google’s national offices in Europe act as commercial representatives for the company’s advertising functions and are “to a certain extent coordinated by its Irish subsidiary.” It stated that Google has data centers in Belgium and Finland, but does not disclose information concerning the exact geographical location of functions relating to its search engine activity. Google claimed that no processing of personal data relating to its search engine took place in Spain.

In his opinion, the AG rejected Google’s arguments, holding that where Google sets up a branch office or subsidiary in a Member State for the purpose of promoting and selling advertising space on its search engine, such an office or subsidiary orientates its activity towards the inhabitants of that State and therefore subjects Google to local jurisdiction. The final decision of the ECJ, expected to be released in December, will have broad implications for online companies with a European presence.


In its 2010 opinion on applicable law, the Article 29 Working Party proposed that in any future legislation, relevant targeting of individuals would be taken into account in relation to controllers not established in the EU. This approach is reflected in the European Commission Proposal for the GDPR. Under Article 3(2) of the GDPR, the application of European law would extend to the processing of personal data by a controller not established in the EU, where “the processing activities are related to: (a) the offering of goods or services to such data subjects in the Union; or (b) the monitoring of their behavior.” Critics argue that this extension of extraterritorial application constitutes a dramatic shift from a “country of origin” to a “country of destination” approach and portends general application of the GDPR to the entire Internet.

While expanding international application, the GDPR would simplify jurisdiction and applicable law for controllers established in the EU, by introducing a “one-stop-shop” lead regulator. The one-stop-shop concept remains hotly debated, however, with European Parliament members pushing a watered down version of a lead regulator as a single point of contact as opposed to a sole competent authority. Moreover, under the existing text, the one-stop-shop concept would not apply to companies not established within the EU. This means that if such companies are caught by the expanding scope of EU regulation, they would have to dealing with as many as 28 national (and additional state level) regulators. In various statements, the European Commission has clarified that this result does not reflect legislative oversight, but rather a conscious effort to provide an incentive for global businesses to establish a EU base as a locus for applicable data protection law and jurisdiction.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»