In a ruling on Google Inc., Europe’s top court created a “Right to be Forgotten.” For Facebook Inc., it also resurrected an almost forgotten battle.
Johannes Caspar, the city of Hamburg’s data regulator, says the European Union Court of Justice ruling in May bolsters his bid to force Facebook to comply with German law. He says he discussed the issue with the company at a meeting in August.
“We hadn’t had a meeting with Facebook for a long time” since “the company always insisted it’s only bound by Irish” enforcement of EU data rules, Caspar, 52, said in an interview. Unless Facebook changes its mind “the issue may need to be clarified in court.”
German regulators have been fighting with Facebook for years over the implementation of European data-protection rules. The U.S. company, which has its European headquarters in Dublin, has argued that the Irish regulator has jurisdiction over its compliance with privacy law. German courts had backed the company’s position.
While the EU court’s Google ruling forced the world’s largest search provider to remove some personal information from search results, Caspar says it also expands the role of data-protection authorities. The court said Google couldn’t ignore requests made by a Spanish web user, backed by the country’s privacy regulator, because the company had an advertising unit in Madrid.
For years, EU officials have been trying to centralize oversight of data-protection issues so companies don’t have to face multiple regulators throughout the 28-nation bloc. German and French regulators have chafed against EU legislation, which would switch responsibility to countries like Ireland and Luxembourg, where most U.S. tech companies have their European headquarters.
Caspar says the Google ruling has reopened the issue, for Facebook and other tech companies.
“The ECJ ruling bolsters the jurisdiction of the national data protection authorities,” said Caspar, who also teaches law at Hamburg University. “It determines that national law is applicable to data processors which have a unit in the country, even if its activity is merely to economically support the Internet offerings.”
A German spokesman for Menlo Park, California-based Facebook declined to comment.
At the meeting last month, Capsar told the company to “swiftly” respond to questions the company received in March. Facebook has now promised to answer this month, he said.
In its May ruling, the ECJ said U.S.-based Google is subject to Spanish law because it has a unit in that country selling advertising. Since the ads are displayed next to search results and finance the website, both activities are “inextricably linked.”
“The ruling was a real bombshell,” said Indra Spiecker genannt Doehmann, a professor of information law at Frankfurt University. That’s true for “the right to be forgotten as well as the jurisdiction of national regulators and the applicability of EU rules.”
German regulators say the Irish haven’t done enough to make Facebook respond to issues identified in a regulatory audit of the company. Caspar also says users should be able to turn to local authorities with complaints.
“We also must secure that the choice of headquarters won’t lead to global Internet providers fortifying in ’data protection deserts’ to escape an effective control of privacy rules,” Caspar said.
Former Irish data protection regulator Billy Hawkes has said that some of the criticism has improperly confused privacy law with complaints that his country is “a tax haven.”
“I’ve often had to publicly defend, or uphold, our position in a forum in Germany,” Hawkes said in July, before he stepped down as head of the Dublin-based regulator that oversees Facebook and Apple Inc. “I often push and say ‘what exactly is wrong with our law, what exactly is wrong with what we’re doing?’”
Making one regulator responsible for the whole bloc would mean “less red tape and the application of the same rules across Europe,” said Michele Cercone, spokesman for the EU commission, the EU’s executive arm. The commission wants the reform to advance as quickly as possible, he said.
One of the region’s most aggressive privacy regulators, Caspar oversees data-protection issues in Hamburg, a German hub for the media and advertising industries. Along with German publishers and newspapers, both Google and Facebook have advertising units in the city.
At the August meeting, Caspar discussed with Facebook what the company does with information on users who visit fan pages on the social-networking site. The Hamburg regulator is monitoring a related case over an order issued by his colleague in the German state of Schleswig-Holstein. The fan-page owner, not Facebook, was the target of that order and sued.
A court ruled in the case today that Facebook, rather than the individuals running Facebook fan pages, are responsible for handling user data.
This sort of ruling would move “the option into focus, to enforce the rules directly against Facebook,” Caspar said earlier this week.
The German regulator isn’t guaranteed victory in national courts because there are differences between Google and Facebook, said Isabell Conrad, an attorney at SSW Schneider Schiffer Weihermueller in Munich. Unlike Facebook, Google has rejected EU privacy regulation, saying that its data is processed in the U.S.
“Maybe Facebook was a little bit smarter than Google,” Conrad said. “Facebook probably understood that it’s hard to avoid EU rules and picked a country which implements EU rules rather liberally. It’s possible this strategy will prevail in the new dispute with the Hamburg regulator.”
If Caspar is ultimately successful, other U.S. companies such as Apple Inc. and Yahoo! Inc. -- which also use Ireland as their main European base -- may face challenges in EU states where they have advertising units, said Spiecker, the Frankfurt law professor.
“Caspar is a heavyweight in the data protection scene,” Spiecker said. He certainly isn’t making this move against Facebook “without reflection,” she said.