 Well, thank you for your nice invitation David Here to Cambridge. It's a great pleasure to be here. It's a great privilege to speak to you For data commissioner in Germany, it's always a great thing just to to Go elsewhere and and and try to push the idea of data protection Throughout Europe Well, I want to give you a legal assessment about the problem of the applicability of national data protection law as you see there's a structure of my essay and it Is able perhaps it helps you to to get a notion about the A short lecture It's a question for which Goes on another level. I think we we we heard about just Implication of the Google Spain a decision for for search engines But now we are on the point where we go on another level where we Can see what great impact This decision has for all kinds of platforms and the internet for all kinds of services But as the time is precious, let us begin introduction Historical judgment under two aspects Without exaggeration one can call the decision of the European Court of Justice in the case of Google Spain historical This applies at least for the central part of the verdict the judicial Derivation of the so-called right to be forgotten better called right to be delisted or right not to be found so easily The ruling brought the shocking evidence for Google and other companies that from this point on They were seen as responsible data controllers by operating internet search engines They also had to realize That they can't escape European data protection provisions even if they are settled outside the EU But have an establishment in at least one of the member states The ruling of the Court of Justice therefore not only bolsters the privacy rights of people affected by heteronomous use of the data on the internet it also clarifies the scope of Applicable national data protection law and helps to safeguard the data protection rights vice versa Parties which play on grounds where data protection normally is an alien concept Content and range of the decision the Decision of the European Court Includes that national data protection law is applicable if the activity of an establishment in the specific member state is Economically linked to the controller this applies Even in cases where the regional establishment in the member states itself has no active part in Processing personal data of the users of an internet service It is sufficient if the activity of that establishment fosters economically the data processing of the holding company Now there is a short way from the Google case to another global service provider Which has its German establishment in the state of Hamburg, you know from which kind of service I'm speaking it's biggest social network Facebook That in the past has given several reasons for taking the data use policy under close Chutini to the data protection authority of Hamburg Some examples the first such reason was the friend finder an aggressive Advertising strategy of Facebook to increase the number of their users The second one another Similar case is this face recognition technology Facebook users to suggest Whom to tag on photos uploaded by users to the network This was introduced without asking the data subject affected for the informed concept After we opened an administrative Proceeding against Facebook. They decided to discontinue the features throughout Europe Currently a change of the data use policy of Facebook effective on January of end of January 2015 led to new investigations not only by the handle PPA, but as well as in the Netherlands and Belgium and we know it since last week also in France and Spain The announcement that Facebook may share information about from their users Within the Facebook family for more or less undefined purposes is at least disturbing Legal ground for transferring data between these different companies cannot be seen Facebook therefore must clearly commit that there will be no unauthorized exchange of data especially Keeping in mind the weak privacy standards of the US companies in the hand of Facebook such as WhatsApp or Instagram one can Count here also one can refer also to the network Edward advertising at word Atlas Facebook argues for quite long time that for European users the responsible controller It is not Facebook Inc. Located in California, but rather Facebook limited in Ireland From that they come to the conclusion That the Irish data protection commissioner would be the only competent DPA Despite this position Facebook in the past was willing to answer our questions more or less to our satisfaction Not so now Facebook refused to give answers to our questions concerning the new data use policy They recurred to the argumentation of missing competence and non applicability of German data protection law our legal position Until now the competence issue in Germany has not been solved There are two dissenting court decisions in Germany the administrative court of Schleswig-Holstein in 2013 denied the applicability of German data protection law on the other hand the Kammergericht in January 2014 the Berlin Court of Appeal For private law argued that the national data protection provisions are applicable for Facebook consider considering the current decision of the European Court the key question of ethical law under the framework of the data protection directive must be addressed new The central provision applied in the Google Spain decision concerning applicability of national laws article 4 1 a The article provides that each member state shall apply the national provisions where the Processing is carried out in the context of the activities of an establishment of the controller on the territory of the member states member state when the same controller is established on the territory of several member states He must take the necessary measures to ensure that each of these Establishment complies with the obligations laid down by the national law applicable The clear notion of article 4 1 a to estimate the extent of The application of the national data protection law One has to analyze the key term establishment and scope the relevant activity The court refers to a recital 19 of the directive which states that Establishment on the territory of a member state Implies the effective and real exercise of activity through stable our Arrangements and that the legal form of such an establishment whether simply branch or subsidiary with a legal personality Is not the determined mining factor The court of justice makes it clear that this does not require The processing of personal data in question to be carried out by the establishment concerned But only that it be carried out in the context of activities of these of this Establishment in the case of Google search engine It is sufficient that the establishment promotes and serves advertising space Making the service more profitable The court of justice explicitly Develops its wide interpretation on the background of the processing of data Which is operated by an undertaking that has its seat in a third state But has an establishment in a member state now What does this mean for those cases in which the controller claims to operate not in a third state? but in a member state of the The multiplication of different national regulations is Anticipated by the data protection directive. It states that each controller has to ensure that the national Regulations have in each case be followed Recital 19 of the data protection directive addresses this issue Quotation when a single controller is established on the territory of several member states Particularly by means of subsidiaries He must ensure in order to avoid any Circumvention of national rules that each of the establishments fulfills the obligation imposed by the national law applicable to its activities The decision of the court of justice therefore This is my opinion is also valid for controllers which operate in the EU with an establishment By contrast Facebook, which has its main European establishment in Ireland argues that the directive would aim to ensure a common level of privacy protection standards within the EU and harmonize Data protection laws to establish a consistent internal market for internet services The data protection directive in order to ease the flow of personal data aims indeed for an equivalent level of protection of rights and freedom of Individuals with regard to the processing of such data in all member states. This is recital eight It is clear that the interpretation of the terms establishment by the court of justice Intends to counteract controllers trying to escaping the obligation obligations and guarantees of the data protection directive and safeguards the Effective and complete protection of fundamental rights and freedoms of national natural persons an Interpretation of the scope of applicable law must therefore consider that with directive nine five four six the European Legislator sought to prevent individuals being deprived of the protection Guaranteed by the directive and that protection from being circumvented Quotation from European court Even if one follows the argument of Facebook on the harmonizing impact of the directive The wide interpretation of the term establishment by the court must therefore be also relevant for the data controller in member states where the Implementation of the directive itself is deficient or and the enforcement of national data protection is Not at least much less effective than in other member states or at least much less effective than under the state As a result the controller whose strategy is to seek for lower levels of data protection in third states as well as in the EU Must at least face the situation that he is obliged to the relevant and valid data protection Standards of a member states where its own branches or establishments are running in office I come to point for implementation and law enforcement in Ireland Whether these requirements for the application of the principles of the Google decision are fulfilled in the case of Facebook limited in Ireland Must be examined in depth Here is not the place and the time for a final evaluation But let me in short provide an ignition assessment as an example I will pick the enforcement of proper consent as a legal ground for processing data As mentioned before Facebook in 2011 implemented automatic face recognition to identify people and uploaded photos and attribute attribute these to the users in question Facebook itself when introducing this function had no inform not informed the users that their faces would be biometrical evaluated Under the pressure of growing resistance especially among consumer and data protection authorities Facebook prominently pointed the user to the facial recognition function and the possibility of deactivating it Facebook was of the opinion that it had therewith done all that had been necessary to obtain the consent of those affected True to the motto if you don't deactivate then you concept The user's reaction not to deactivate the facial recognition function was regarded as a concept We clearly pointed out That the failure to perform an action deactivating may not be interpreted as consent on the part of the users Consent from those affected is required by European as well as data protection law an M Biggius concept this view was by the way Repeatedly communicated by the article 29 data protection group in its opinions on the processing of biometric data and the requirements for valid concept that opinion Was not shared by our colleagues in Ireland in their first audit Facebook Ireland the first audit report They accepted Facebook's argumentation that users give their consent to all of the network's condition of use Including the guideline on data usage and that this provides the Substantive legitimation to the collection of users biometrical face profiles quotation Facebook Ireland audit report from 2011 our consideration of the issue this issue must also have regard to case law in Ireland Regarding the use of biometrics This case law has not considered that the procession of biometric data requires explicit consent Further quotation for the reasons outlined above Further notification in relation to the current deployment of the feature is not strictly legally necessary under Irish law This opinion Ignores that with the opt-out Feature Facebook does not fulfill the requirements of the EU data protection directive Article 2 he provides that the data subjects consent shall mean any freely given specific and informed Indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed the EU article 29 group adopted an Opinion in 2012 on facial recognition in online and mobile services and approves that a quotation In this context consent for enrollment cannot be derived from the general users acceptance of the overall terms and conditions of the underlying service Unless the primary aim of the service is expected to involve facial recognition recognition It took quite some time for Facebook to accept this legal opinion only after opening administrative proceedings Facebook took the the possibility and Close down the facial recognition function in Europe the function or facial recognition was discontinued and the biometric data were deleted this example Shows and demonstrates one of the differences between the Irish data protection act and the EU directive Deviation from settings of the EU directive the Irish Irish data protection act has no binding legal definition of the term consent This proves a deficient Implementation of the directive and documents a gap between the provision of the EU directive and the Irish data protection act This gap should have been closed by interpretation of the legal term consent by the Irish the data protection Authority in the light of the European directive Referring of an Irish case law certainly in my opinion is inappropriate The question of pre and explicit consent is crucial for the Evaluation of the data use policy of Facebook which became effective just in in January 2015 has Facebook by issuing the new privacy policy acquire consent of their users that Legitimates the processing and transfer of data from a European perspective. This is more than doubtful I came I come to the conclusion The EU general data protection regulation is discussed on the EU and on the member state level since 2012 it aims for current structures and future data protection law not only for privacy rights But also towards a homogenous procedure of co-operation and law enforcement between different national supervisory authorities The principle of the one-stop shop should accomplish that only one data protection authority is competent for a data controller throughout the Against the background of the bath. It is not it is of great importance that the exclusive supervisory Responsibility of the authority at the location of the headquarters of the data controller must not lead to a forum shopping of A major internet company Otherwise, we might face a race to the bottom and protecting the privacy in the EU The general regulation therefore has to find clear and transparent procedures which provide effective provisions for the law enforcement Regulation should therefore be given to the question of arming those supervisory authorities with particularly rights for the case of the leading authority should remain inactive That last view on the consent view on the actual proposal of the Council of the European Union raises doubts whether the procedure of the one-stop shop will be effective enough for law enforcement regarding also the Consent proposals of the council in chapter two of the general data protection It falls back not only beyond the proposal of the Commission But also behind the EU directive itself instead of an explicit consent Required by the proposal of the Commission Mere unambiguity Shelby is sufficient that would open the way to opt-out solutions Which in fact are incompatible to the right to informal self-determination of the individual user The central requirement for the ongoing debate on the data protection regulation is to implement a definition Which states that consent of the users always have to be given explicitly The data protection regulation must learn from the process of the European DPA to enforce the fundamental rights to privacy especially against the data use policy of Global players like Google and Facebook. Thank you for your attention