The Article 29 Working Party have adopted an Opinion on applicable law. The Working Party is the EU’s independent advisory body on data protection and privacy and is composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission – so an Opinion on such a topic really counts.
The rules determining applicable law address the question of which national law applies to the data processing of companies that operate internationally. According to the Working Party, the current European Data Protection Directive 95/46/EC contains a provision on applicable law (Article 4) that is not very easy to understand and implement. The Article 29 Working Party explains in its Opinion the different elements that need to be considered to determine the applicable law and illustrate this with several examples.
The point of departure in answering the question of applicable law is the place where the data controller is established. However, in cases where companies are processing personal data in the context of establishments in several countries, establishing the applicable law is more complicated. For instance, if a Danish citizen applies for a loyalty card at the Copenhagen branch of an Italian chain of fashion stores, his data are collected by the store in Denmark and Danish law applies. However, if the Italian headquarters of the chain uses the data to offer the same Danish customer special promotions through direct marketing, Italian law would be applicable for that part of the data processing. That is because the direct marketing takes place in ‘the context of the activities’ of the Italian HQ. This example is used by the Working Party to illustrate that the key factor in determining applicable law is the context in which the processing is carried out. Both place and nature of normal activities play an important role in defining the context.
The Article 29 Working Party not only aims to clarify the current situation on applicable law, it also gives several recommendations to improve the current provision in view of the upcoming proposal for a new and comprehensive data protection legal framework in 2011. Most importantly, the data protection authorities ask the Commission for a simplification of the rules on applicable law, especially in situations where one company has branches in several Member States. They say that the simplification would provide the necessary clarity both for the consumer and for the companies.
The Opinion was adopted on 16 December. The pre-Xmas radar missed it, so the Editor thanks the Datonomy blog for highlighting it.