On 29 June 2016, the Higher Administrative Court of Hamburg decided in favor of Facebook in a legal battle with the Data Protection Authority (DPA) of Hamburg (decision in German).
The Court stated, in essence, it is an open question whether the administrative order of the Data Protection Authority was lawful. The Court identifies two “open” aspects: the territorial competence of the Hamburg authority; the applicable data protection law. This depends largely on the interpretation of the current EU Data Protection Directive (especially Art. 4 para 1 a) with regard to the question of applicable law; and Art. 28 para 1 and 3 with regard to the territorial competence of the authority). In the current jurisprudence of the Court of Justice of the European Union (ECJ), it is not clear whether the EU Data Protection Directive would permit that the DPA could proceed pursuant to national rules against the Irish resident applicant (Facebook Ltd.) with powers of intervention. Because the division of powers between the national data protection authorities and the power of intervention of the German data protection authority in cases where a parent company (here: Facebook Inc., USA) holds multiple offices within the Union, which have different tasks, is not clear. In April, the German Federal Administrative Court made a reference for a preliminary ruling to the ECJ, concerning, among other things, also on the question of an authority’s competence (see our blog post, of the reference for a preliminary ruling).
Due to this legal uncertainty and open questions, the Court therefore had to balance the involved interests. The interests of the DPA and of the user of immediate use of the Facebook account under a pseudonym do not outweigh the interests of Facebook, particularly due to the unclear power of intervention of the Hamburg DPA against Facebook Ireland Ltd.
With regard to the question of the competence of the DPA, the Court holds that the ECJ Google decision (C-131/12) and its reasoning cannot be applied in this case, since Facebook Ireland Ltd. is a data controller established in the Member State of the European Union, whereas in the ECJ Google decision the data controller (Google Inc.) was established outside of the European Union.
Also the ECJ decision in Weltimmo (C-230/14) can’t clarify this open issue, because in that case, the decision did not concern the present constellation of two legally independent subsidiaries, with different factual and regional tasks, and a parent company residing outside EU territory.
With regard to the question of applicable law, the Court holds that it is not evident that German data protection law would apply. The Court also mentions the opinion of Advocate General Saugmandsgaard Øe in the case C-191/15 (currently pending at the ECJ; the ruling will be delivered on 28 July), where the Advocate General stated that only one national data protection law could apply to on data processing operation within the European Union.