On 3 November 2020 the Court of Milan ruled for the first time ever on the application of Article 79 of the Regulation (EU) n. 2016/679 (General Data Protection Regulation – so-called “GDPR”) and its interplay with Regulation (EU) n. 1215/2012 (“Brussels I bis”) with regard to jurisdiction over data protection claims. As a result, the Court has stressed the importance to interpret the connecting factors under art. 79 with a view to safeguarding the principles of legal certainty and predictability, by avoiding their over-extensive interpretation.
A Dutch entrepreneur of Italian origin sued a UK company and its Italian affiliate claiming for the enforcement of his right to be forgotten pursuant to Article 17 GDPR and for the compensation of damages allegedly suffered because of the unlawful processing of his personal data by the UK defendant, which collects information about individuals from public sources and make them available to subscribers of the service.
Namely, the plaintiff argued that, because of the alleged unlawful processing of his personal data perpetrated through the information service, he had suffered negative consequences on his business activity. He therefore decided to bring an action in Italy claiming that Italy was his country of habitual residence and that the controller (i.e. the UK defendant) has an establishment in Italy within the meaning of Article 79(2) GDPR because of the presence of the Italian affiliate (i.e.the second defendant) allegedly involved in the commercialization of the concerned database in the country.
The legal framework: Article 79 GDPR and the clashes over its interpretation
The main provision concerning jurisdiction on data protection claims is Article 79 GDPR, which provides that a data subject (i.e. the natural person to whom personal data refers) shall have the right to an effective judicial remedy in case of alleged infringements of his rights under the GDPR (Article 79(1)).
To ensure that effective remedy, Article 79(2) provides the data subject with the alternative to bring the claim before the courts of the EU Member State where the controller (i.e. the entity that determines the means and purposes of the processing) or the processor (i.e. the entity which processes personal data on behalf of the controller) has an establishment or before the courts of the Member State of his/her habitual residence.
Since the GDPR entered into force, scholars clashed on the interpretation to be given to the two mentioned connecting factors, without reaching common solutions.
The divergent opinions, in particular, concerned the connecting factor of the “establishment” of the controller (or of the processor). As a matter of fact, the dividing line ran between those emphasizing the protecting goal underlying Article 79 GDPR in favor of the data subjects and those who instead leverage the principles of proximity and predictability of jurisdiction.
In this respect, it must firstly be noted that the notion of “establishment” shall be interpreted autonomously. To this end, regard should be had to recital 22 GDPR, according to which establishment implies the effective and real exercise of activity through stable arrangement and the legal form of such arrangements […] is not the determining factor in that respect. Furthermore, it is worth to mention that the CJEU repeatedly proposed an extensive interpretation of that notion, arguing that the concept of “establishment” shall be considered as a flexible one, departing from formalistic approaches (see Weltimmo ruling).
Moreover, it should be noted that Article 79(2) GDPR refers to “an establishment” of the controller (or of the processor) and not to “the establishment” or to the “main establishment”, which is a concept used by Article 56 GDPR for the identification of the competent lead supervisory authority. The literal interpretation of this wording suggests that data subjects, in case of multi-national counterparties, could bring the proceedings before the courts of any of the Member States where the controller (or the processor) has an establishment, irrespectively for the place where the allegedly unlawful processing or damages happened. Such an interpretation is however challenged by scholars who argue that it can leave the door open to forum shopping and affect predictability.
A narrower interpretation is that proposing that the sole establishment relevant for the operation of Article 79(2) GDPR is the establishment in the context of the activities of which the processing is carried out. That interpretation relies on the same connecting factor used by Article 3(1) to define the territorial scope of the GDPR, as interpreted by the CJEU in the Google Spain ruling on Article 4(1)(a) of the repealed Directive 95/46/EC. According to Google Spain, in particular, the processing is carried out in the context of the activities of an establishment of the controller on the territory of a Member State when the operator of a search engine sets up in that Member State a branch or affiliate which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State. Accordingly, that branch shall be considered as an “establishment” within the meaning of Article 4(1)(a) Directive 95/46/EC and Article 3(1) GDPR.
The Interplay between Article 79 GDPR Brussels I bis Regulation
Another issue to be considered when dealing with jurisdiction on data protection matters is the interplay between Article 79 GDPR and Brussels I bis Regulation.
In this connection, recital 147 GDPR explicitly provides that Brussels I bis Regulation should not prejudice specific rules on jurisdiction contained in the GDPR. This statement accords with Article 67 of Brussels I bis Regulation, according to which that regulation shall not prejudice provisions on jurisdiction in specific matters which are contained in instruments of the EU, such as the GDPR.
It comes from the foregoing that Article 79 GDPR is not the only provision to be considered when ruling on jurisdiction on data protection matters. Indeed, also Brussels I bis Regulation can be relevant to the extent that its application would not contradict Article 79 GDPR or affect the integrity and consistency of the special protective regime provided therein.
The “establishment” connecting factor and the emphasis on the “effective remedy”
More interesting are the Court’s conclusions on the “establishment” connecting factor set forth by Article 79(2) GDPR. The Court has embraced a novel application of it, strictly related to the concept of “effective remedy” referred to in Article 79(1) GDPR and largely influenced by the general principles of Brussels I bis Regulation. Indeed, the Court argued that Article 79 GDPR shall be read in light of those principles, as also suggested by recital 147 GDPR. In particular, the Court referred to recital 16 of Brussels I bis Regulation, according to which special attention must be given to the predictability principle in connection with violations of privacy rights.
Bearing this in mind, the Court stated that, for the purpose of Article 79(2) GDPR, it must firstly be assessed if the controller (or the processor) has an establishment in the Member State of the seized court. That establishment, according to the Court, shall have a qualified relationship with the data processed in order to be relevant for that processing operations.
As an alternative, the Court argued that the notion of “establishment” can receive a wider interpretation, such as that provided by the CJEU in Weltimmo or Google Spain, only if that interpretation is necessary to ensure the data subject with an “effective judicial remedy. According to the Court, indeed, such an extensive interpretation, which was originally affirmed in connection with applicable law or for the identification of the competent supervisory authority, is capable of affecting the predictability of jurisdiction and can therefore be adapted to Article 79(2) GDPR only if, without this interpretation, the data subject would be deprived of his right to an effective judicial remedy, which is recognized as a fundamental right of EU citizens by Article 47 of the Charter of Fundamental Rights of the European Union.
Conversely, if the right to an effective judicial remedy is not in danger, the Court held that the extensive interpretation of “establishment” should not be permitted. After establishing this principle, the Court quite unexpectedly stated that, if there is no need for such a wider interpretation, the issue of jurisdiction should be decided pursuant to Brussels I bisRegulation instead than under Article 79(2) GDPR, thus affirming a sort of predominance of the former.
The decision of the Court
Coming to the case concerned, the Court stated that the Italian affiliate does not have any qualified relationship with the processing of the personal data involved. In particular, the Court noted that processing is carried out by the UK company and that there are no concrete links between the commercial activities of the Italian defendant and the processing at stake.
Subsequently, the Court stressed that, since the damage allegedly suffered by the claimant did not materialize in Italy and the claimant had his center of interests abroad, there is no connection at all between that damage and Italy. Therefore, the Court argued, there is no need to ensure the claimant with his right to an effective judicial remedy in Italy through the abovementioned extensive interpretation of the concept of “establishment”.
In light of the foregoing, the Court concluded that Italy had no jurisdiction on the case and that the Brussels I bis Regulation should be applied to determine the competent court.