The subject of international data transfers has been under discussion since the European Court of Justice (“ECJ”) recent ruling in Case C‑362/14 (Maximilian Schrems vs Data Protection Commissioner). Beyond this ruling, there are many additional international data transfer issues of significance to be considered, including the allocation of the role of the data controller.
International data transfers and role distribution
International data transfers that are outward bound from the European Union often require prior approval from the competent national data protection regulator. International groups of companies frequently need to share personal information such as human resources data and/or customer data within their corporate group. The question that arises is whether a national (ie, local) subsidiary should be seen as the data controller, and thus be held responsible for the legitimacy of the data transfer to the corporate group?
The controller definition – legal language vs legal practice
According to the Austrian Data Protection Act as well as the Data Protection Directive (95/46/EC), the data controller “shall mean the natural or legal person […] which alone, or jointly with others, determines the purpose and means of the processing of personal data.“1
In reality, it is quite often the case that it is not a local entity but rather a parent company that actually determines how to use and transfer personal data on a corporate group level. Such demand is often driven by compliance or statutory obligations that apply to the parent company but not necessarily to the local entity (at least not to the same degree). In terms of data protection role allocation that means it is not the local entity but the parent company that makes up its mind for collecting and processing data in Austria – not purely in the interest of the local entity. In such instances the data processing is typically and primarily dominated by corporate group interests, not by the interests of the local entity. So, for example, the shipping of data from an Austrian subsidiary to a US based parent company could be seen as an initial collecting of personal data in Austria by that US company (as the data controller), and less as a transfer of personal data from one controller (the local, Austrian entity) to another controller (the US parent company). It is important to note that such interpretation would in no way create a regulatory deficit since the data collecting nevertheless has to satisfy the regulations as set out by national (in this scenario Austrian) data protection law.
Nonetheless, the argument that in such circumstances the foreign parent company effectively is the data controller for purposes of the Austrian Data Protection Act has not, to date, been accepted by the Austrian data protection authority. Instead, the Austrian regulator – like many of its equivalents in other jurisdictions – has taken the position that in all cases of international data transfers the Austrian local/national subsidiary is the controller. Recognising the (foreign) parent company as being the data controller would in no way limit their power to regulate and control conduct according to the recent ECJ ruling C‑230/14.2
The data subject benchmark
The incoherence of the Austrian data protection authority’s position on this subject becomes even more obvious when contrasted with the Austrian Supreme Court’s rulings on Austrian data protection law, which are generally based on ensuring full informational self-determination on the part of the data subject. Logically, the counterpart to the data subject (the data controller) should provide the very same level of self-determination. So, if both data collecting and data processing are predominantly driven by the parent company, it makes sense to allocate the role of the data controller to that parent company even when a subsidiary is established in the country at question.
A data controller is the one in charge of the processing of data. When it comes to corporate group data flows, why shouldn't legal interpretation appropriately reflect the reality by allocating this role to the parent company?
1Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, L281, 23/11/1995, p 31 – 50, Article 2 (d).
2ECJ, October 1st, 2015, Case C‑230/14 (Weltimmo s.r.o v Nemzeti Adatvédelmi és Információszabadság Hatóság); addressing two aspects of EU data protection law (i) the applicable law and (ii) the scope of the territorial powers of data protection authorities.