News Archives

Tuesday, December 27, 2016

Dutch Court Ruling a Threat to App Deployment in the EU

In late November, the Administrative Court in The Hague upheld a penalty imposed by the country’s DPA against WhatsApp for its failure to appoint a representative in the Netherlands.  The requirement to do so is found in Article (4)(2) of the EU Data Protection Directive, applicable whenever a data controller not established in the EU makes use of equipment situated in a member state for the purpose of processing personal data.  Although some observers have characterized the court’s ruling as “extreme”, it is consistent with guidance issued by the Article 29 Working Party in 2013 and in 2010, as well as with court rulings such as that of the High Court of Berlin in 2014 that Facebook was subject to German law due to its use of cookies on German computers.

WhatsApp could have satisfied the requirement to have an in-country representative by contracting with a Dutch entity and indemnifying them in case a fine or penalty was imposed as the result of a violation of data protection law.  However, the larger challenge faced by the company, owned since 2014 by Facebook, is that it would need to have a representative located in each EU member state in which its app is used.  The General Data Protection Directive, coming into effect in May 2018, eases this burden by allowing the appointment of one local representative covering all member states.  WhatsApp may appeal the court’s decision against it to the Dutch State Council, hoping that it has the exceptional case in which enforcement actions of a DPA are overturned. It may also be reluctant to have a legal representative through whom even larger fines for other legal violations – such as those involved in the merging of personal data across Facebook and WhatsApp accounts – could be extracted.

No comments:

Post a Comment