Mullan, Alex --- "Data protection, jurisdiction and the choice of law" [1999] PrivLawPRpr 65; (1999) 6(6) Privacy Law & Policy Reporter 92

Data protection, jurisdiction and the choice of law


Abstract

Introduction

Qualifying data protection law

Jurisdiction

Liability: jurisdiction and choice of law

Data protection, jurisdiction and the choice of law

Jon Bing

This paper was originally prepared for the 21st International Conference on Privacy and Personal Data Protection, Office of the Privacy Commissioner for Personal Data, Hong Kong 1999, and was reproduced in the proceedings of the conference. A small additional comment has been added with respect to choice of law for liability (Editor).

Abstract

This paper explores some of the interlegal issues related to data protection, especially in an online environment. It tries to establish by which criteria the proper law of data protection will be determined, which is also the question of the jurisdiction of data protection authorities. Providing a tentative answer to this question, the paper goes on to discuss the hypothetical case where a data subject brings a civil suit before a court claiming damages for an invasion of privacy. For this latter issue, the jurisdiction of the courts is discussed with reference to the Lugano (and Brussels) Convention and the lex causae for both the alleged violation of data protection provisions and the liability issue are briefly discussed.

Introduction

When the international discussion on data protection started in the early 1970s, the international nature of information technology was obvious. It was equally obvious that it would be possible to escape the territory of a state introducing a data protection regime by simply relocating the data to a computer abroad. As the emerging national data protection regimes were found to be too restrictive by many, the notion of ‘data havens’ became an issue, and the international discussion was complemented by a discussion of transnational data flows (TDF).

The first national data protection Act in Sweden (1973) introduced the regulatory scheme of extending the national licensing system to the export of data as well. In this way, some measure of national control was achieved, as personal data could be contained within the country and only be transferred abroad when the Data Inspectorate deemed this appropriate. First generation data protection legislation followed this example, and this is still a common feature in most laws.

It is simplistic to observe that this only solves some of the problems implied by TDF. Systems containing data on persons citizens of or domiciled in a country can be created abroad without there being a prior export requiring licence. And there are obvious examples of situations in which it is necessary to permit the legitimate establishment of databases abroad due to the international nature of commerce — a typical example, to which we will return in this article, is a database for co-ordinating flight reservations. Once outside the territory, data protection authorities cannot enforce national law with respect to such data if, for instance, data is transferred to a third party violating the terms in a licence basic to the transfer abroad, or in relevant contracts.

Therefore, the interlegal issues (here used as a term to include both the issue of jurisdiction and choice of law) were current when the first international instruments regulating data protection were developed.[1] However, neither the Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (1980) nor OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1981) contain any specific regulation of interlegal issues. An attempt was made in drafting the OECD Guidelines, and experts in private international law were called upon to assist the working party in this respect. The attempt did not succeed, but there is an oblique reference to this in the Explanatory Memorandum paras 74-75.

Both the Convention and the Guidelines, however, reiterate the principle mentioned with respect to the Swedish Act. This is, perhaps, most clearly stated in the Convention art 12(2): a Party shall not ‘for the sole purpose of the protection of privacy, prohibit or subject to special authorisation transborder flows of personal data going to the territory of another Party’. This implies that if the transborder flow is not addressed to another Party, such restrictions may be imposed.

The Convention was also open to signature by countries which are not members of the Council of Europe. But even within Europe, not all countries ratified the Convention. The principle of the Convention art 12 therefore also created an invisible barrier to trade within Europe as far as such trade implied the communication of personal data, creating a rather obvious problem for the development of the internal market. This is some of the background which made the European Union adopt the Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data.[2]

The development of the internet, boosted by the world wide web, has made the interlegal problems much more visible, not only for data protection, but also as a more general issue. Today, one looks for an analysis and understanding of the issues involved. In this article, a sketch of such an analysis will be offered, but it should be clearly understood that this is just a preliminary and tentative discussion.

Qualifying data protection law

There are two major interlegal issues to be settled. First is the choice of jurisdiction (this could be the jurisdiction of a court or an authority). Second is the issue of what law applies to the case at hand (lex causae). The latter issue in practice only relates to private law, as a court or an authority would not apply the public law of another country — if it is decided that the court or authority has jurisdiction, then the law of that country (lex fori) would be applied.

For choice of law, the traditional method of international private law applies a two step argument. First, one would specify the area of law to which the case relates (for instance liability, formation of contract and so on). Second, there would be, for the qualified area of law, criteria establishing the relevant relation to the country whose law is to be applied. A typical example would be, for liability, on the principle of lex locus delicti commissi, the place where the damage took place; or for law relating to real property, lex rei sitae, the law of the country where the property is located.

This method for choice of law has the advantage of establishing legal certainty; the parties involved in a case may easily determine what the lex causae will be. These traditional rules have been adopted by different countries and, in cases where this has occurred, it also reduces the problem of forum shopping, as the courts of all countries applying the same rule would choose the same lex causae, and then apply the same substantive rules to the case.

The traditional method gains certainty by reducing flexibility, and applying the strict rules for determining lex causae may often lead to results deemed less than appropriate. An example may be the leading Norwegian case of Irma-Mignon,[3] which concerned liability following an accident involving two ships manoeuvring on the river Tyne, approaching Newcastle. Here there was a difference between Norwegian and English substantive law. The Norwegian Supreme Court observed that both ships were Norwegian, that all the involved parties were Norwegian, and that the case therefore had its closest connection to Norway. Norwegian law was therefore chosen as the lex causae.

The method of choosing the closest connection may lead to applying a lex causae that is more appropriate for the interests involved, but it also reduces legal certainty. In a case where the overwhelming number of relevant connections points to one lex causae, the certainty may be intact. Often, however, it will be contested to which country the case has its closest connection. And one must also take into consideration the tendency for a court to chose the lex fori, which may lead to forum shopping and may reduce legal certainty. Many commentators have observed an increased tendency to apply the method of the closest connection, not only to liability issues, but also more generally.

For data protection law, at least two comments should be made with respect to the traditional methods.

First, qualifying data protection law is by no means easy. Data protection legislation will typically contain provisions of a public law nature, relating to an authority and its duties and decisions. But the law will also often include civil law provisions, typically on liability for data protection violations. The provisions of data protection legislation may therefore have to be qualified as belonging to different areas of law, to which different relevant connection criteria are assigned. Following the traditional method, different aspects of one case may then have to be decided by different lex causae, which may easily lead to distortions, as the legislation is conceived as an organic whole where the different provisions support an appropriate solution.

Second, the connecting criteria are traditionally often related to the geographical location of an event. This is self-evident in a case where two ships collide in a harbour, but less obvious in events taking place in a global computerised network. It may be difficult to determine where a certain event takes place. And even when one may identify the location of, for instance, a server, its geographical location may easily be seen as incidental to the case. Criteria linking events to territories fail in this context, and have to be replaced by criteria based on other relations.

Also, a further complication is represented by the doctrine of ordre publique, indicating that there are certain provisions basic to lex fori which will be applied regardless of which lex causae would otherwise govern the case. Such provisions will typically be related to human rights and other basic rights; for instance, a Norwegian court would be reluctant to base a decision of family law on a lex causae permitting a man to have more than one legal wife. Data protection is closely related to human rights and also to the protection of consumers — both aspects may justify ordre publique arguments. This possibility will not, however, be further pursued in this article. Here, only two aspects will be roughly sketched. First, the aspect of jurisdiction and second, the aspect of liability.

Jurisdiction

The issue addressed in this section is the jurisdiction of data protection authorities. When the first data protection legislation was enacted in the Land of Hesse in 1970, an authority — the Datenschutzbeauftragter — was introduced, and subsequently most national regimes have relied on a data protection authority. The European Directive (Chapter VI) presumes that there is such a national authority. The functions of the authority may include licensing, inspections for ensuring that data processing adheres to the substantive rules of the legislation, decisions in individual cases and so on.

In the context of this article, the nature of the functions of the data protection authority is not vital. It suffices to observe that they rely on the exercise of public authority, powers derived from the law of a sovereign state.

It follows from this that public authority only can be exercised within the territory of the state. Or rather, this is the point of departure. Public authority cannot be exercised on the territory of another state without some public international agreement between the states. But the law of the country may qualify as relevant acts or circumstances relating to the territory of other states — for instance, criminal acts committed on the territory of another state may be pursued by national courts if certain criteria are met.

In the first instance, it is therefore a matter of interpreting the national legislation to determine the geographical application of the national data protection legislation.

Some instances are directly addressed in the legislation. The French 1978 legislation applies to the remaining French overseas territories such as Guadeloupe, while the UK 1984 legislation does not apply to British overseas territories like Bermuda or the Cayman Islands. The Norwegian 1978 legislation applies to offshore installations engaged in exploration, production and transport of petroleum products on the Norwegian continental shelf.[4]

If both the controller and the processing are closely linked to the territory (that is, the controller is domiciled or established in the country and the processing is carried out in the country), then the country’s national data protection legislation has generally been applied to the controller and the processing. There are many examples of national legislation using the geographical location of the data processing or file as the principal criterion for the application of the law. But this criterion has sometimes been waived, allowing the legislation to be applied to data processing or files outside the country.

The situations specified by national law for waiving the principal criterion may vary from country to country. For instance, the Dutch 1988 legislation on data protection could apply to personal data files not located in the Netherlands when (1) the file is controlled by someone established in the Netherlands, and (2) the file contains data on persons domiciled in the Netherlands (s 47(1)). By contrast, the Belgian 1992 legislation could apply to automated processing of personal data abroad ‘where such processing is directly accessible in Belgium by means which are integral to the processing itself’ (art 3(1)(2)). This provision has been interpreted to mean that Belgian law would apply to a server geographically located outside Belgium if the data on the server is used in Belgium, originates in Belgium or is accessible from Belgium.[5] The Norwegian data protection legislation has been interpreted by the Ministry of Justice[6] as applying to a personal data register located abroad when the register can be controlled from Norway. The minimum requirement for a register to be ‘controlled’ is that a person or an organisation in Norway may access and register or store data in the register; otherwise the criterion is left rather open.

It can easily be appreciated that the principles of jurisdiction sketched above may lead to positive conflicts of authority. There will be no lack of examples where the authorities of more than one country claims jurisdiction over the same operation. An example would be the travel information system AMADEUS, operated from a database in Germany. In the decision of the Norwegian Data Inspectorate, it is stated that Norwegian law will apply as ‘collection, registration and use of the data is operated from terminals in Norway’.[7] This argument is in line with the principles sketched above, but the argument will be equally valid for any country from which the system is used by travel agencies. One should, therefore, think that the data protection legislation of all countries — at least all European countries — applied simul-taneously to this system. Such a situation would mean the system would be governed by the most restrictive provisions in all the countries in question; this may not be a major problem provided there are no incompatible provisions being applied.

It is on this background that the European Directive was adopted, introducing a provision governing national jurisdiction of data protection legislation in art 4 on ‘National law applicable’:

1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; where the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

(b) the controller is not established on the Member State’s territory, but in a place where its national law applied by virtue of international public law;

(c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.

2. In the circumstances referred to in paragraph 1(c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself.

One will see that the primary criterion of the Directive is ‘establishment’: the law is chosen according to the link between a person (physical or legal) and the territory on which this person is established. This is different from the principle common to much data protection legislation indicated above, where it is the link between the controller and the processing operation which is emphasised.

The preference for the criterion of establishment is common to a number of European Directives, for instance the Directive on Transnational Television,[8] and the draft Directive on Electronic Commerce.[9] The advantage of this criterion is that it is rather strict; where an enterprise is established will generally be a matter of record, in first instance a reference to national company law. However, it would seem that the criterion will be interpreted as a reference to EU law, as laid down in the Treaty of Rome, and made subject to an autonomous interpretation by the European Court of Justice. Reference is made to this in the preamble of the draft Directive on Electronic Commerce, where it is indicated that the decisions of the court clarify the criterion sufficiently for it to create the necessary legal certainty. The decision to which specific reference is made[10] states:

It must be observed in that regard that the concept of establishment within the meaning of art 52 et seq of the Treaty involves the actual pursuit of an economic activity through a fixed establishment in another Member State for an indefinite period.

For those countries bound by the Directive on data protection, the issue of jurisdiction would then seem to be settled — but only to some extent. One will note from the cited art 4(1)(a) a second alternative: if an enterprise is established in more than one country, the enterprise will have to observe the data protection law in all the countries in which it is established. As we have seen, national data protection legislation may include an extraterritorial element defining the jurisdiction of the national data protection authority by criteria deviating from those of the Directive. One may argue that the reference to national data protection law also includes a reference to the principles of jurisdiction, therefore an enterprise established in both country A and country B may find that the principles of the national law of country B imply that country B also has jurisdiction over the processing taking place in country A. This would be contrary to one of the objectives of the Directive, which is to avoid a situation where ‘the same processing operation might be governed by the laws of more than one country’.[11] Based on this objective, it may be argued that the Directive should be interpreted in such a way that a positive conflict of authority is avoided, and that consequently the expansion according to deviating national criteria for jurisdiction should not be applied.

The Directive may imply the necessity of amending some of the current national principles for jurisdiction. An example is provided by a Norwegian case.[12] The cruise ship Vistafjord operated in the Caribbean, and in practice never entered Norwegian territorial waters. The cabin personnel were provided by a local catering operator and this operator processed files of the employers. The Ministry of Justice found the Norwegian data protection legislation applicable, referring to the fact that the ship was registered in and operated from Norway regardless of the territorial waters in which it would be sailing. The Ministry further referred to the objectives of the legislation, and found it would be invidious if one could circumvent the application of the data protection legislation by the location of the files on employees. If, in this case, the ship had been cruising the Mediterranean and the caterer has been established in Greece, it would follow from art 4(1)(a) that Greek data protection law should govern the case. In this way, the jurisdiction of the Norwegian data protection authority would be restricted compared to the situation before the Directive took effect.

However, in the actual case the controller was established in the Caribbean. According to the cited art 4(1)(c) a different principle is applied when the controller is not established on Community territory. In this case, the secondary criterion takes priority, which qualifies the location of ‘equipment, automated or otherwise’ sufficient to give a Member State jurisdiction. An exception is made if the equipment is only used for transit through the territory of the Community, which clearly was not the case in our example. Therefore, if the computer equipment used to maintain the files on the cabin personnel was located aboard the ship (which indeed was the case), and the ship under Norwegian flag is qualified as Norwegian territory (which also would be the case), then the Norwegian data protection authorities would also have jurisdiction under the provisions of the Directive.

The example begs for the hypothetical of the catering firm removing the equipment from the ship and placing it abroad in some Caribbean territory. This would seem to remove the relation to Norwegian jurisdiction, and may illustrate the weakness of this criterion. It may in some cases be easy to circumvent the application of a data protection law conceived as restrictive.

But the example also indicates an aspect of the Directive that has not been widely discussed: the ‘extraterritorial’ implications of its principles. In an online environment like the internet, servers and end-user work stations are accessed and are often involved in the transaction — without discussing the technology, cues like ‘caching’ or ‘cookies’ may indicate the operations involved. It may be argued that this involves the use of equipment on the territory of one or, indeed, several Member States, and that this would extend the jurisdiction of these Member States to the processing of such data. It would also require the controller to be represented in that Member State (art 4(2)), a requirement which clearly could only be enforced with great difficulty and which would require major resources. A further clarification of what is required for such use of network services to constitute use of equipment, perhaps through a somewhat broad interpretation of the exception for transit, still has to emerge.

The Directive art 4 constitutes the first and only set of provisions in an international data protection instrument to deal specifically with the issue of jurisdiction. It can be seen that the Directive is in line with other directives in employing as its principal criterion the controller’s place of establishment, largely irrespective of where the data processing is carried out. It can certainly be argued that this is a more stable criterion than those related to data processing equipment, location of files and so on, and less prone to be circumvented by technical means having no impact on the operation of the controller. This is, to some extent, illustrated by the brief discussion of the Directive art 4(1)(c) above.

It has still to be seen, of course, if other countries will follow this example and place emphasis on the relation of the actors — physical or legal persons — to a territory, rather than the actions, which perhaps would be more in line with conventional principles for choice of law. It may be argued that first, the emphasis on the actors is more appropriate as a regulatory technique, and second, that the adoption of this principle by a rather important region, especially with respect to data protection law, is an argument in itself for other countries, or other future international legal instruments, adopting the same strategy.

Liability: jurisdiction and choice of law

As mentioned above, data protection law includes provisions of different natures. To the extent interlegal issues have been discussed, the discussion has generally been limited to determine ‘the proper law of data protection’; that is, the jurisdiction issue discussed above. In this section we will, however, address another aspect, which may also have some practical interest.

We suggest a conflict arising from a controller processing data in such a way that a data subject claims that his or her rights have been violated when there are no contractual relations between the controller and the data subject. The data subject sues the controller, claiming compensation for the violation. This is a civil liability suit, and at least two major issues emerge: first, when a court has jurisdiction, and second, the choice of law.

The jurisdiction issue is not identical to the one discussed above, where the emphasis was on to what extent a data protection authority may apply national data protection law. The court will have to determine whether it has jurisdiction over the liability case. This will be a question of liability outside a contract. Between countries of the European Union, this will be determined by the Brussels Convention of 1968. The Lugano Convention of 1988 is a parallel convention, which also may have countries not members of the European Union as parties. We presume that the country of the forum is a party to one of these conventions, but make reference only to the Lugano Convention.

The Lugano Convention art 5(3) specifies the court of the place of damage as the court having jurisdiction. The ‘place of damage’ may be either the case where the damage was caused, or the place where the damage has an effect.

We observe that the criteria of the Lugano convention are traditional, presuming that the relationship between an act and a territory is sufficiently obvious to establish legal certainty with respect to jurisdiction. However, as we have discussed above, this relation becomes tenuous in online environment. If damage is caused by someone shooting his or her gun and killing a cow on the other side of a national border, there is no doubt with respect to the location of the cause of the damage or the effect of the damage. If a controller fails to comply with data protection regulation, for instance causing personal data to be made available to a third party in another country, it may be less simple to locate the cause of the damage: is this the country in which the controller is established, or is it the country in which the third party is established, or perhaps the country in which the actual transaction took place?

It would seem a safe point of departure to maintain that under the European Directive, the obligations of the controller are laid down by the country in which the controller is established. A court in this country would therefore always have jurisdiction, as it is the provisions of the law of this country that it is claimed has been violated, and this violation is the cause of the damage.

If the country of the forum is not bound by the European Directive (but is a party to the Lugano Convention), it would seem then that the court first has to decide on the proper law of data protection. If this were the law of the forum, the court would have jurisdiction, as it is a violation of this law that is claimed to be the cause of damage.

If the case is brought before a court of a country whose law is not the proper law of data protection, it may still be maintained that the court has jurisdiction if it can be argued that the cause of the damage is related to that territory. For instance, the data subject may maintain that the violation has occurred with respect to a server operated by the controller in a third country. A court in this third country may argue that it has jurisdiction, as the transaction related to the server on the territory of the country of the forum is claimed to be the cause of the damage. In determining whether a violation of data protection has occurred, however, the court would then have to apply the proper law of data protection — under the European Directive, this would be the law of the country in which the controller is established. We see therefore that even under the European Directive, courts outside the country where the controller is established may have jurisdiction according to the first alternative of the Lugano Convention art 5(3), being the country in which the damage was caused.

However, the Lugano Convention art 5(3) also has a second alternative: the country in which the damage occurs. The more interesting possibility of this alternative is that the court of the domicile or residence of the data subject may have jurisdiction. It is presumed that the law of this country is not the proper law of data protection (that is, under the European Directive) and that the controller is established in another country. It is further presumed that it cannot be argued that the damage was caused in the country in which the data subject is domiciled or is residing. For the data subject, it would be an advantage if the court in their country had jurisdiction, as the data subject would not have to go to another country to sue the controller, with the costs and practical difficulties this implies.

A leading case of the European Court of Justice — Shevill et al v Presse Alliance SA[13] — may be of interest. Briefly, the case concerned an item in a newspaper implying that a young woman, Fiona Shevill, was involved in drug trafficking. Ms Shevill was a British subject residing in England, while the newspaper was published in France, but distributed internationally. It was estimated that while 237,000 copies were sold in France, 15,500 copies were distributed to other European countries, with only 230 copies sold in England and Wales, and of these 15 in Yorkshire, where Ms Shevill was living. The High Court of England and Wales found that it did not have jurisdiction and the case was appealed to the House of Lords, which asked for an opinion by the European Court of Justice in this respect. The European Court found that the damage had an effect in Yorkshire, the decisive point being that in a case of libel, the effect is caused where the victim suffered the damage, provided that the victim is known at that place, and so has a reputation to defend.

Applying this reasoning to data protection, it can be argued that the question would be whether the victim had an interest in his or her privacy in the country where he or she is domiciled or is residing. Under the Data Protection Directive, it can be little doubt that a minimum standard of protection is offered to all persons in the European Union, and it would seem to follow that the court of the country in which the data subject is domiciled or residing would also have jurisdiction according to the criteria of the Lugano Convention.

Having decided that it has jurisdiction, the court then has to decide whether a violation of the data protection provisions has taken place. To do this, the proper law of data protection has to be applied. And as discussed above, under the European Directive this would be the law of the country where the controller is established. This may be a law different from lex fori.

Presuming that the court finds that a violation has occurred, the court has to choose the law for determining liability. It may be disputed whether this is co-ordinated by the European Directive. One may take the position that the Directive art 4 identifies the proper law of data protection for ‘the national provisions [the Member State] adopts pursuant to this Directive’. According to art 23, the Member states are obliged to ‘provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered’. This is, therefore, an obligation under the Directive to include liability provisions for data protection violations, and in this way such provisions may be seen as being ‘pursuant’ to the data protection Directive.

This is, however, a somewhat formal argument. Clauses on liability for data protection violations are related to those applying to the invasion of privacy, which will often have, in national law, a sufficiently broad scope to include violations of the provisions introduced pursuant to the Directive. In my opinion, it may be somewhat artificial to construe such traditional provisions as being introduced pursuant to the Directive, and also apply the ‘proper law of data protection’ for the choice of law with respect to liability. But this is certainly one possibility for the interpretation of the Directive which should not be omitted.

But if we rely on the traditional criteria determining the lex causae for liability, we have already mentioned the principle of the lex locus delicti commissi. If the court has decided it has jurisdiction based on the Lugano Convention art 5(3) second alternative, it has already decided that the damage has had an effect in the country of the forum, and it may seem reasonable to argue that in such a case, the court will also specify the country of the forum as the country in which the damage has been committed. But, as the Lugano Convention illustrates by its alternatives, this criterion may point to more than one country. There is, as observed above, a tendency for courts to chose lex fori in practice even when another choice is possible in principle; it therefore would seem probable that the court would chose lex fori based on the traditional principle of lex locus delicti commissi.

A Norwegian case[14] may illustrate this issue. The case relates to a Swedish television broadcast which was found to be defamatory to Norwegian sealers. The court decided it had jurisdiction based on a principle identical to the Lugano Convention art 5(3), though Norway was at the time of the injury not party to this Convention. In making the choice of law, the court stated that the fact that the court had jurisdiction was not decisive with respect to the choice of law. However, the court applied the method of closest connection, and found that the television broadcast concerned Norwegian sealing, catching methods and practices of Norwegian vessels. The charges were directed towards Norwegian sealers, and the harm to their reputation mainly concerned Norway, where transfrontier television made the programs available for a Norwegian public.[15]

Though the case relates to television, it is rather similar to a hypothetical case of defamation on the internet. Also, defamation is in nature related to an invasion of privacy or other violations of data protection provisions. It would, therefore, seem probable that a court might argue in the same way with respect to a hypothetical case for choice of lex causae for liability. The traditional criterion of lex locus delicti commissi has the weakness, mentioned several times in this paper, that it presumes a certain relation between the act causing damage and a territory — a relation which is less obvious in an online environment. As the method of closest connection has increasingly been preferred in practice over the traditional method for liability law, one may argue that this method will also be applied in a case involving violation of data protection provisions. One will note that in the Norwegian case, application of the traditional criterion of lex locus delicti commissi may have had the same result, depending on the determination of where the damaging act was committed (the alternatives of the Lugano Convention art 5(3) of the country of the cause and the country of the effect of the damaging act).

Admittedly, the reasoning above is tainted by speculations and not supported by satisfactory reference to legal sources. We will obviously have to wait for further regulatory initiatives or case law before one may argue with a higher degree of certainty with respect to the choice of law for liability.

But it should be pointed out that the law relating to liability might vary to a great extent between different countries. The European Directive art 23 requires that member countries implement provisions granting compensation for violations of the data protection provisions following the Directive. It is, however, unclear whether this requires member countries to ensure that there is compensation for non-economic loss, and the co-ordination is limited to this general requirement.

There is diversity among countries in the law relating to liability, especially with respect to non-economic damage, which is the probable damage in privacy cases. For instance, many European countries require statutory authorisation to award such damages, while the Common Law countries have a less strict doctrine.

If an economic damage is suffered, this generally will not be caused by an injury to physical goods or to persons, but will be of a more indirect nature; for instance, a missed business opportunity due to misleading personal data made available to a third party. To award damages for such injury, there are often different requirements. For instance, in Sweden it is required that the act be criminal in order to award damages, while in the neighbouring country of Norway an modified version of the culpa principle is applied.[16]

This implies that there may be an advantage in forum shopping in such instances, given the lack of certainty in the choice of law, and the tendency for a court finding it has jurisdiction, to apply lex fori as the lex causae.

Obviously, this leads to the next issue — to what extent judgements in a court of a country in which the controller is not established may be enforced with respect to the controller. However, this issue is beyond the scope of this article.

Jon Bing is Professor, De juris, at the Norwegian Research Center for Computers and Law, Faculty of Law, University of Oslo, Norway.

Acknowledgement is made to the work done by Lee A Bygrave of the Norwegian Center for Computers and Law (NRCCL), Faculty of Law, University of Oslo within the ECLIP project. ECLIP (Electronic Commerce – Legal Issues Platform), ESPRIT Project 27028, is founded by the European Commission, and is a co-operation between five European universities, the Centre de Recherches Informatique et Droit (CRID), Namur; Centro de Estudos de Derecho e Informatica de Les Illes Balears, Universitat de les Illes Balears; Information Technology Law Unit of the Centre for Commercial Law Studies, Queen Mary and Westfield College, London; Institut für Informations, Telekommunikations-und Medienrecht, Westfälische Wilhelms-Universität, Münster and the NRCCL.