Regulatory

Territoriality Principle on the Horizon

Current international data transfer principles might soon face significant changes.

The ECJ’s ruling

It is com­mon­ly known that the Euro­pean Court of Jus­tice (ECJ) has held the Data Reten­tion Direc­tive invalid.1 The details of the ECJ’s rea­son­ing are not, how­ev­er, gen­er­al­ly known. More­over, one par­tic­u­lar con­sid­er­a­tion in the judgment’s rea­son­ing has stayed fair­ly unde­tect­ed.

But gen­er­al­ly, the ECJ has con­ced­ed in its rul­ing that the reten­tion of data does not by itself adverse­ly affect the fun­da­men­tal rights to respect for pri­vate life and to the pro­tec­tion of per­son­al data. The court fur­ther held that the poten­tial dis­clo­sure of such data to nation­al author­i­ties prin­ci­pal­ly serves a legit­i­mate gen­er­al inter­est: the fight against seri­ous crime and the safe­guard­ing of pub­lic secu­ri­ty.

How­ev­er, the ECJ found the Data Reten­tion Direc­tive to infringe the prin­ci­ple of pro­por­tion­al­i­ty because it applies to all indi­vid­u­als, com­mu­ni­ca­tions and traf­fic data with­out dif­fer­en­ti­a­tion or lim­i­ta­tion. The court has also held oth­er parts of the Direc­tive exces­sive, such as the fact that the reten­tion peri­od does not dif­fer­en­ti­ate between the stored data cat­e­gories.

But the real spot­light should be on the ECJ’s con­sid­er­a­tions on data secu­ri­ty. The court held the Data Reten­tion Direc­tive invalid because it allows the ser­vice provider to align the secu­ri­ty mea­sures to the provider’s com­mer­cial and eco­nom­ic con­sid­er­a­tions. Most notably, how­ev­er, the ECJ has also crit­i­cised that the Direc­tive does not require the data to be retained with­in the EU. With this, the Court claimed that the Direc­tive does not suf­fi­cient­ly ensure con­trol rights of an inde­pen­dent author­i­ty, as explic­it­ly required by EU data pro­tec­tion law (in par­tic­u­lar, the Euro­pean Char­ter of Fun­da­men­tal Rights).2 In the view of the court, such con­trol forms an essen­tial com­po­nent of the pro­tec­tion of indi­vid­u­als in the pro­cess­ing of their per­son­al data. The impor­tance of this argu­ment is not least reflect­ed by the fact that the ECJ includ­ed this con­sid­er­a­tion in its press release on the cit­ed rul­ing.

Possible impact

What are the effects of this rul­ing? The ECJ’s argu­ments might have an impact beyond the case that trig­gered the rul­ing. They might in fact touch the pri­va­cy aspects of inter­na­tion­al data trans­fers as we know them today. Cur­rent­ly, it is com­mon­ly accept­ed by all EU data pro­tec­tion reg­u­la­tors for inter­na­tion­al data trans­fers that an ade­quate data pro­tec­tion lev­el can be pro­vid­ed through valid and signed EU Mod­el Claus­es. But the Mod­el Claus­es nei­ther express­ly address (phys­i­cal) serv­er and data stor­age loca­tion require­ments nor do they explic­it­ly address com­pli­ance con­trol aspects and relat­ed super­vi­so­ry author­i­ty com­pe­ten­cies.

Giv­en that, it is not unthink­able that a nation­al DP reg­u­la­tor, con­tem­plat­ing the ECJ’s rea­son­ing, might ques­tion whether the Mod­el Claus­es give valid proof for the data in ques­tion being stored with­in the ter­ri­to­ry of the EU and, with this, under the com­pe­ten­cy and com­pli­ance con­trol of a Euro­pean (in the view of the Court, suf­fi­cient­ly inde­pen­dent) super­vi­so­ry author­i­ty.

And the answer might be self-evi­dent. Since the Mod­el Claus­es do not express­ly require the data recip­i­ent (in its role as the data importer) to retain the data exclu­sive­ly with­in the ter­ri­to­ry of the EU, the author­i­ty might, based on this con­sid­er­a­tion, require the appli­cant to amend the Mod­el Claus­es, or it might reject the appli­ca­tion.

In the light of these con­sid­er­a­tions, the ECJ rul­ing could have an impact that goes far beyond the court’s rea­son­ing on the reten­tion of per­son­al data. It affects the key prin­ci­ples of the trans­fer­ring of per­son­al data out­side the EU.

Wider implications

And it is not Europe alone that will have to deal with such ter­ri­to­ri­al­i­ty con­sid­er­a­tions. Also the Russ­ian Fed­er­a­tion is cur­rent­ly eager to amend the Russ­ian Data Pro­tec­tion Act. The amend­ed reg­u­la­tion would require data­bas­es that con­tain per­son­al data of Russ­ian cit­i­zens be locat­ed only in Rus­sia.3 This, of course, would require all indus­tries (banks, insur­ance com­pa­nies, telecom­mu­ni­ca­tions providers, etc.) to store their Russ­ian cus­tomer data exclu­sive­ly on Russ­ian ter­ri­to­ry.

Things are on the move. Companies will have to wait to see how national DP regulators interpret the ECJ's reasoning. But the court's reasoning clearly supports an observable European market trend: the market's increasing demand that personal data be physically retained within the territory of the EU.

1
ECJ 08.04.2014, Joined Cas­es C-293/12 and C-594/12 Dig­i­tal Rights Ire­land and Seitlinger and oth­ers)
2
Char­ter of Fun­da­men­tal Rights of the Euro­pean Union, Offi­cial Jour­nal of the Euro­pean Com­mu­ni­ties, C-364/01, 18 Decem­ber 2000.
3
cf Jones Day, Rus­sia Adopts Restric­tive Changes to its Data Pri­va­cy Law, 18.07.2014 (http://www.jonesday.com/russia-adopts-restrictive-changes-to-its-data-privacy-law-07 – 18-2014/)