The Montenegrin Data Protection Agency recently joined the club of the authorities in Europe who have publicly taken a position on whether their national data protection laws apply to Facebook. The Montenegrin law, said the agency in an opinion published on 15 July, does not apply.
Unlike some other DPAs, however, the Montenegrin one offered virtually no explanation for its opinion on whether the national law applies or not. In this blog post, we will address the issues that, in our opinion, the Montenegrin DPA should have examined before taking a position on the matter. The Montenegrin DPA was wrong – or at least used imprecise wording – when it made the sweeping statement that “the provisions of the [Montenegrin Data Protection] Act do not apply to data processing on the part of Facebook”. It is less clear, however, whether the Montenegrin law should apply to the narrow issue with which the DPA was seized.
The Montenegrin law (mainly) follows the EU Directive
In May 2015, an editor of the website of a Montenegrin non-governmental organization (Center for Democratic Transition) invited the DPA to opine on the measures Facebook has taken to enforce its Real Name Policy. Under the policy, Facebook users must use their real names and email addresses when joining the social network. If Facebook has doubts about veracity of the data, it asks the user to send a scanned copy of his or her I.D.; if the person refuses, Facebook closes his or her account. The website editor wanted to know whether Facebook could lawfully request I.D. from a user and whether the user is obliged to furnish it.
The Montengrin DPA found that, based on Article 5 of the Montenegrin DP Act, the legislation did not apply to data processing on the part of Facebook.
Article 5 of the Montenegrin DP Act is similar to, and has been drafted after, Article 4 of the EU Data Protection Directive, although it does not copy Article 4 verbatim. Due to the similarity, the decision of the Montenegrin DPA offers itself to a comparison with the decisions by EU Member States’ data protection authorities which have examined applicability of their national laws to Facebook (or Google) under national provisions implementing Article 4 of the Directive.
Article 5 of the Montenegrin DP Act states, in the relevant part:
- Data controllers who process personal data in the territory of Montenegro, or outside Montenegro when the laws of Montenegro apply in accordance with international law, shall be bound by the provisions of this Act.
- The Act shall also apply to a data controller which was established outside Montenegro or has no residence in Montenegro, if the equipment for data processing is located in Montenegro, unless such equipment is used solely for transit of personal data through the territory of Montenegro […].
As a point of comparison, Article 4(1) of the EU Directive provides that each Member State applies the national provisions it adopts pursuant to this Directive to the processing of personal data where:
- the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State […];
- the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.
When the Montenegrin DPA reached the broad conclusion that the Act did not apply to Facebook, it surely reasoned that Facebook – as the data controller – did not process personal data on Montenegrin territory.
The DPA’s stance on non-applicability of the national law in general – a step too far
But is it true that Facebook, when implementing its Real Name Policy, does not process personal data in the territory of Montenegro? In our view, the Montenegrin DPA erred in failing to examine the impact of Article 5, paragraph 2 of the Montenegrin DP Act to the case before it. The reasoning of a spate of decisions and other pronouncements by data protection agencies and by courts in Europe, in the past years, indirectly suggest that the Montenegrin DP Act might be applicable to Facebook’s processing of personal data because Facebook’s “equipment for data processing” is arguably “located in Montenegro”.
The key factor justifying the above conclusion is – Facebook’s use of cookies. Assuming that Facebook indeed uses cookies in order to acquire information on the online activities of its members, cookies and the user’s computer are the “equipment for data processing” and they are located in Montenegro.
Under the pronouncements of the relevant authorities in the European Union and its Member States, when websites and social media use cookies, they subject themselves to the application of the national law of the state where the user’s computer is located. Information about the user (his/her IP address) and his/her online activities is stored in the “electronic communications terminal equipment” (a computer) of the user. Cookies access that information on the browser installed on the user’s terminal and collect the information.
In terms of the data protection law, accessing and collecting personal data are forms of data processing, whereas cookies and the PCs are the equipment used for the processing.
The Spanish Data Protection Agency (AEPD) and the Sanctions Committee of the French Data Protection Authority (CNIL) were among the first to apply the cookies argument in binding decisions, in December 2013 and January 2014 respectively. Both agencies concluded that the national data protection law applied to Google Inc., although the company was established in the United States, i.e. outside the relevant jurisdiction.
According to CNIL, cookies used by Google Inc. in relation to users of Google Search, Google Maps or YouTube are “means of processing” located on French territory. Moreover, according to CNIL,
“all equipment and software involved in these actions of reading or writing information – including cookies and similar tools – must be considered as means of processing”.
Consequently, Article 5, paragraph 2, of the French Data Protection Act applies. That provision is almost identical in the relevant part to Article 5, paragraph 2, of the Montenegrin DP Act.
The Belgian Data Protection Authority (CPVP) applied the same reasoning in a case involving Facebook, in a recommendation dated 13 May 2015. The CPVP determined that the data controller, Facebook Inc., was not established in Belgium, but the national law governed nevertheless because Facebook Inc. used “automated means for the purposes of processing personal data on this territory, using cookies for example”.
Data protection agencies are not the only ones that used the cookie argument to determine that the national data protection law applies. On 24 January 2014, Berlin Court of Appeals reached that same conclusion, finding that Facebook Inc. (based in the United States) was the data controller that used “equipment” in Germany when it set cookies on the devices of German users and arranged the data processing.
In reality, the data protection agencies and the German court did little more than restate what the Article 29 Working Party has determined – in a non-binding but highly authoritative manner – all the way back in 2002, in a Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites (WP 56). The Working Party explained that, when a cookie is placed on the hard disk of the user’s personal computer (while a copy might be kept by the web site or a third party), “the user’s PC can be viewed as equipment in the sense of Article 4 (1) c of Directive 95/46/EC”.
In the specific case, unclear whether the national law should apply
While Facebook generally does process personal data in the territory of Montenegro via cookies, with the consequence that the Montenegrin DP Act should apply to such processing, it is less than clear whether the circumstances of the particular case which the Montenegrin DPA confronted called for the application of the Montenegrin law.
The data processing in this case has the form of collection of copies of I.D.s, which the Facebook users in Montenegro send by electronic means to the company. No use of cookies seems to be involved in these interactions. Accordingly, if the collection of I.S.s is viewed in isolation, the argument in favour of DPA’s jurisdiction which would be based on the location of the equipment is not available.
At the same time, the use of cookies might be what enables Facebook to identify in the first place the potential use of false identity by a user and to address the user by requesting a copy of his or her I.D. If that is the case, one could argue that, when Facebook collects the copies of the I.D.s from the users, such data processing is inextricably connected to the data processing which Facebook effectuates by using the cookies, with the result that the Montenegrin law – applicable to the latter activity – should also apply to the former activity. The Montenegrin DPA missed an opportunity to tackle this side of the story. Instead, it took an easy way out by making a general, one-sentence assertion that the DP Act did not apply to data processing on the part of Facebook.