Human Fertilisation and Embryology Act 1990 and the issue of consent: the unresolved problem


Muki Gorar, Lecturer in Law at the University of Hertfordshire 

  • Under the Human Fertilisation and Embryology Act 1990, the issue of ‘consent’ has been problematic when dealing with fertilisation issues in England and Wales.
  • Although there was an attempt to amend the law in 2008, the issue has not been resolved
  • Case law illustrates the need for a change.


The Human Fertilisation and Embryology Act (HFEA) 2008 received Royal Assent on 13 November 2008. Technology in the field of human reproduction had advanced so far that the previous HFEA 1990 was struggling to cope with these changes. The 2008 Act attempted to update the law to ensure that it was fit for purpose in the 21st century and amended certain provisions of the 1990 Act. However, the issue of consent under Schedule 3 and 4 of the 1990 Act remained unchanged.

Current Law

Within the current Act, for gametes to be lawfully retrieved, stored and used there is a need for an effective consent. Schedule 3 requires consent for the use or storage of gametes to be in writing. The same Schedule further clarifies this by stating that: ‘In this Schedule “effective consent” means a consent under this Schedule which has not been withdrawn.’

Schedule 3 (8)  of the HFEA 1990 deals with the consent to use or store gametes. Under Schedule 3 (8)(1) ‘A person’s gametes must not be kept in storage unless there is an effective consent by that person to their storage and they are stored in accordance with the consent.’ Furthermore, Schedule 3 (2) (a) requires such consent to specify the maximum period of storage (if less than the statutory storage period).

The same Schedule also clarifies further the procedure for giving consent. Under Schedule 3 Paragraph 3 (1), before a person gives consent, (a) that person must be given proper counselling about the implications of taking the proposed steps, and (b) must be provided with such relevant information as is proper.

Although the above provisions of Schedule 3 may sound straightforward, they are difficult to strictly comply in a real-life situation. Thus, the following recently decided case will illustrate the complexity of the issue.

Recent Case of Samantha Jefferies

Central to the recently decided case of Samantha Jefferies (Jefferies v BMI Healthcare Ltd and Human Fertilisation and Embryology Authority, [2016] EWHC 2493 (Fam)), was the issue of ‘consent’. Mr. and Mrs. Jefferies decided to receive in vitro fertilisation (IVF) in order to have children. For that purpose, embryos were created from the claimant’s eggs and her husband’s sperm while the couple were undergoing IVF treatment. As required by the HFEA 1990, both the husband and wife consented to the storage of the created embryos. The consent form (MT) was signed by the husband in which he consented to the embryos being stored for a 10 year storage period. At some point thereafter, the form was amended to specify a two-year storage period, which was to reflect the clinic’s policy of offering two years of free storage facilities funded by the NHS. However, the amendment was neither signed nor initialled by Mr. Jefferies. In 2014, just before the couple were to undergo a cycle of IVF treatment using the embryos, the husband died unexpectedly. The IVF clinic indicated that, in accordance with the amendment to the husband’s consent form (with reference to the clinic’s two years free storage offer), the embryos could not be stored beyond August 2015.


When the case was brought to court the claimant, Mrs. Jefferies, submitted that the amendment of the original storage agreement was invalid because it had not been signed or initialled by her husband as required by Schedule 3 Paragraph 1(1) of the Act. As a result of these circumstances, the original consent for the 10-year storage period remained valid. The claimant sought a declaration that three embryos being frozen on 11 August 2013 could lawfully be stored for 10 years from the date of their freezing (until 2023).

Sir Munby presiding in the High Court, granted the declaration. Sir Munby’s decision as explained under s 24 -29 of his judgment was based on the following main points. Firstly, the requirement in Schedule 3 Paragraph 1(1), that a consent or any variation or withdrawal of consent having to be signed by the relevant person, did not require a full signature. Thus, either a signature or putting an initial on the amendment would be sufficient. However, Mr. Jefferies had done neither. Therefore, this was sufficient to invalidate the amendment. Furthermore, even if he had intentionally amended the form to reduce the period of his consent to two years, the amendment would be invalid in the absence of his signature or initials. On this ground alone, the claimant was entitled to the declaration that she was seeking to obtain. Secondly, regardless of whether or not Mr. Jefferies signed the amendment (reducing the storage from 10 years to two years), the requirements under Schedule 3 Paragraph 3 (1) (b) were not met. The amendment required that a ‘suitable opportunity to receive proper counselling about the implications’ of signing the amendment had to be complied with. The judge concluded that there was no evidence that Mr. Jefferies had been given any counselling regarding the implications of the amendment (Official Transcript, s 30-33).

Mr. Jefferies provided a written consent. However, his written consent for the storage of their remaining embryos had since expired. The couple signed the forms in July 2013 and had two unsuccessful cycles of IVF treatment. The facts illustrate the clear intention of the couple to have a child together. The court considered the fact that the couple twice signed a form called  ‘Consent for the Cryopreservation and Storage of Embryos (SDFC9)’. This form stated, “…embryos…be preserved…and stored for a period of not more than ten (10) years from the date of fertilisation. Although the fact that uncertainty around the words ‘not more than ten years” is mentioned. The form SDFC9, not being a consent form, was raised for the court to consider in their decision. The court, instead of just focusing on regulations in only one particular form (MT), looked at the whole documentation to identify the real intention of the deceased. As a result. the court came to the conclusion that the form (MT) was amended to reflect the clinic’s free storage offer and not as a result of a change of heart on Mr. Jefferies’ part.

Issues associated with human fertilisation and reproduction are complex and very sensitive. As can be seen from the above-mentioned case, procedural requirements coupled with practical considerations about storage issues can result in creating difficulties in establishing a party’s real consent. Obviously, these issues are more complex especially when one of the parties is deceased. Perhaps it is time to simplify the paperwork by underlining the fact that consent for usage of gametes should prevail over any other conflicting issues such as storage duration. Clearly, related issues such as free funding facilities for a shorter period of storage will influence the decision of couples when agreeing on storage terms. However, this should not undermine the deceased’s consent to allow his partner to use the gametes.

The decision in Mrs. Jefferies’ case is promising. However, the most practical way of dealing with this issue is in simplifying the rules, instead of dealing with the issue on a case by case basis. Otherwise, courts will be busy again trying to determine the issue of consent.



EU Nationals, Brexit, and the Law

Elise Tai, 3rd Year Law Student, Hertfordshire Law School

Jurisdiction over EU nationals in the UK by the European Court of Justice will end after a two-year transition period following Brexit. Reports have suggested that a meeting of senior ministers chaired by Theresa May on 20th November 2017 had left the door open for some continuing involvement of the Luxembourg court after Brexit. The claim that this meeting, which implied that the prime minister had been given the green light to make a higher offer to Brussels on the “divorce bill” the UK will pay to settle its liabilities on quitting the EU, has not been verified.

Brandon Lewis, an immigration minister, proposed that May was preparing to make concessions to the EU’s demand for European Court of Justice (ECJ) oversight of citizens’ rights when he told MPs that the matter was “part of the negotiations”.

May’s official spokesman denied these claims, stating that the government expected the ECJ’s role to be unchanged during an “implementation period” of around two years following the official Brexit date in March 2019, but that “post that period, the jurisdiction of the ECJ will come to an end.

It is expected that May would soon indicate to the President of the European Council, Donald Tusk, that she is ready to consider a settlement in the region of £38bn, well short of the £53bn being sought by Brussels. However, she is not thought likely to name a precise figure which Britain is prepared to pay until she has a clear idea of what kind of trade deal is available with the remaining EU, with Downing Street insisting that “nothing’s agreed until everything’s agreed”. May’s spokesman would say only that “specific figures or scenarios are all subject to negotiation”.

The issue of jurisdiction over EU nationals ties in with Lord Thomas’ view that there is a greater need for clarity in UK law development. As the Press Association reports, Lord Thomas, a former Lord Chief Justice of England and Wales, told the Lords EU Justice Subcommittee that data law is one area where a possible difficulty could be faced.

Arguing that “the law in Europe is not standing still, it is moving at a huge pace”, his lordship put forward that “the [EU withdrawal] bill is clear about freezing the law, but it is not at all clear about how you keep it up-to-date”. He also highlighted that a second problem was that of the extent to which the Supreme Court of the United Kingdom may be asked to depart and develop slightly different jurisprudence to the CJEU (Court of Justice of the European Union), questioning the impact that this departure would have on people’s willingness to use English law if it doesn’t follow the large regime. Lord Thomas expressed that there was a lack of “real exploration” of these matters and that little thought has been given in regard to the “development of the law for the future”.

The role of the courts in regard to the jurisdiction of EU nationals appears to be a major consideration for all parties involved, as it is the people that make a country. As such, greater consideration ought to be directed towards the development of the law, (for example, the European Union (Withdrawal) Bill), in light of the UK’s decision to leave the EU.


Withdrawing and withholding life sustaining treatment from patients in a minimally conscious state

Claudia Carr, Senior Lecturer, Deputy LLM Programme Leader, Hertfordshire Law School

The recent decision in M (by her litigation friend, Mrs B) v A Hospital 2017 EWCOP 19 is remarkable

in the sense that Mr Justice Peter Jackson indicated that it was no longer necessary for Trusts and

relatives to refer a case to the courts where decisions of withdrawing and withholding life sustaining

treatment from patients in minimally conscious states (MCS) and where all parties agree it is no longer in the patient’s best interests to receive life sustaining clinical artificial nutrition and hydration (CANH).

The case concerned M, who suffered from Huntington’s disease, an inherited fatal neurological condition with no cure.  In 1994, M became a permanent inpatient at hospital and by 2003, she was entirely dependent on clinical artificial nutrition and hydration (CANH). Even though the clinicians and the relatives agreed that continuing CANH was not in her continued best interests, M’s case proceeded to the Court of Protection for consideration. The need to go to Court for a determination was largely due to Practice Direction 9E which requires decisions about proposed withdrawing and withholding of CANH from patients in a permanent vegetative state (PVS) or minimally conscious state (MCS) to go before the court. This requirement has been in place since the seminal case of Airedale NHS Trust v Bland 1993 AC 789 which stated that until a body of practice had been well established for deciding cases of this nature, all cases must go before the court. At this time, however, the condition of minimally conscious state had not been recognised but in W v M 2011 EWHC 2443 (Fam), the earliest case to deal with patients in minimally conscious states, the requirement was confirmed.

Whether of not this requirement should remain was referred to in detail by Mr Justice Jackson in Re M (Withdrawal of Treatment: Need for Proceedings). In para 29, he stated that the Court of Protection Rules Committee, chaired by Mr Justice Charles had met and received a wide range of views and recommended removing the practice direction and establishing a multi-disciplinary body to give guidance about the type of cases that should be taken to court. Moreover, the court referred to the judgment in Director of Legal Aid Casework v Briggs 2017 EWCA Civ 1169, where it was stated (paragraph 108)

‘If the medical treatment proposed is not in dispute, then regardless of whether it involves the withdrawal of treatment from a person who is in a minimally conscious or in a persistent vegetative state, it is a decision as to what treatment is in P’s best interest and can be taken by the treating doctors who then have an immunity pursuant to section 5 MCA’.

However, where the clinicians and relatives disagree in relation to medical treatment where a person lacks capacity, in particular where there is doubt as to whether CANH should be withdrawn, then the matter should be referred to the court.

At this juncture, it is worth exploring how the best interests of a patient are determined. Although this is complex and the subject of many previous court decisions, where a patient lacks capacity to consent or refuse medical treatment, the court will act in the patient’s best interests as required by the Mental Capacity Act 2005 (MCA).

The starting point is expressed in section 1(5) that where a person is unable to make a decision for herself, there is an obligation to act in her best interests. Where a decision relates to life sustaining treatment, the person making the decision must not be motivated by a desire to bring about death s4(5). Importantly under s4(6), when determining what is in her patient’s best interests, all relevant circumstances are taken into account, including ‘the person’s past and present feelings’ and the ‘beliefs and values that would be likely to influence her decision’ if she had capacity. In Re M, it was relevant but not determinative that her family said in evidence that ‘she would not have wanted to be kept alive with no hope of recovery or improvement’

Although there is a strong presumption in the preservation of life, it is not an absolute principle and the earlier case of Aintree v James 2013 UKSC 6 confirmed that it will not always be in the patient’s best interests to receive life sustaining treatment, yet every case is different. At paragraph 39 Baroness Hale made the following statement which has been referred to and applied in a number of subsequent cases:

‘The most that can be said therefore, is that in considering the best interests of this particular patient at this particular time, decision makers must look at his welfare in the widest sense, not just medical but social and psychological; they must consider what the outcome of that treatment for the patient is likely to be; they must try and put themselves in the place of the individual patient and ask what his attitude to the treatment is or would be likely to be; and they must consult others who are looking after him or are interested in his welfare, in particular for their view of what his attitude would be’

Essentially, each case is fact specific but unquestionably subjectively assessed.

In Re M, Mr Justice Jackson confirmed that the State’s obligation under Article 2 (the right to life) no longer requires court oversight. PVS/MCS cases simply represent a specific type of case where withdrawing medical treatment is concerned but, there are many cases where life sustaining treatment is discontinued and an application to the court is not mandated. However, the Court of Protection will remain the port of call where there is a disagreement between the clinician and the relatives as to the patient’s best interests as every case is fact specific and the court will always assist with such important determinations.

The most recent judgment in this most sensitive of areas of law is NHS Trust v Y (By his litigation friend, the Official Solicitor) 2017 EWHC 2886.  This was a claim for a declaration that there was no obligation to apply to the Court for withdrawal of CANH from a patient in a prolonged disorder of consciousness where the clinical team and the family agreed that it was not in Y’s best interest to continue to receive life sustaining treatment and that, if CANH were to be withdrawn, there would be no civil liability of criminal repercussions. In the absence of an advance decision (which if valid and applicable would have to be respected) and the wishes of Y’s family that he would not wish to be kept alive in that way, together with medical evidence that supported removal of CANH, the court accepted that it was not in Y’s best interests for CANH to continue and could be withdrawn.

Mrs Justice O’Farrell further commented that Re Mestablishes that where the clinicians have followed the MCA and good medical practice, there is no dispute with the family of the person who lacks capacity or others interested in his welfare and no other doubts or concerns have been identified, there is no requirement to bring the matter before the court’

On the face of it, this seems to now be settled law and appears to be the correct approach. However, Re Y was a case before the High Court and it is essential there is definitive statement from the Supreme court where withdrawing and withdrawing life sustaining treatment will lead to a patient’s death. Where the patient does not have an advance decision, relatives will no longer need to take cases before the court with all the associated stress, time and costs. At the same time, the patient will continue to receive CANH, often in cases where it is no longer appropriate and risks interfering with the patient’s bodily integrity. However, there cannot be room for error, the stakes of life and death are simply too high but equally, clinicians need to be sure that any action they may take in withdrawing life sustaining treatment falls squarely within the law and the protection of section 5 MCA.






When Britain can deport EU citizens – according to the law

File 20171109 13303 1nzjnvi.jpg?ixlib=rb 1.1

Adrienne Yong, City, University of London

The article was originally published on The Conversation.

Despite the fact that EU citizens enjoy the right to move to and live in other member states, the UK government has recently ramped up efforts to deport them.

In the year ending June 2017, 5,301 EU citizens were deported from the UK, a 20% rise compared to the previous year. This is a troubling figure, especially considering that the law supposedly protects EU citizens from deportation. The charity, Bail for Immigration Detainees, has noticed a rise in EU nationals involved in deportations.

As many EU citizens remain anxious about their future in the UK after Brexit, the government has unfortunately sent mixed messages as to whether EU citizens will enjoy the same rights in the UK once it leaves the EU, or if they will simply be deported.

Debate already exists in the UK about whether certain individuals “deserve” to be expelled, from people who are not working but seeking welfare benefits, to people who are convicted of criminal activity. Now more questions are arising about whether just about anyone can be deported.

Adding to the distress is a recent government letter, sent on behalf of the Home Office, to a Romanian national. It advised him to consider leaving the UK to “avoid becoming destitute” after he was refused emergency accommodation.

The UK’s refusal to provide him with emergency accommodation should not on its own amount to him being asked to leave, especially not under EU law which states that citizens are given the right to live and reside freely in any member state. By suggesting he leave, it appears that the Home Office was trying to restrict his freedom to move and reside. The letter added to the already hostile political atmosphere in the UK, and does nothing to allay concerns for worried EU citizens.

EU law on deportation

The law surrounding deportation in the EU comes from Article 28 of Citizens’ Directive 2004/38 which states that EU citizens can only be deported from another member state for reasons of public policy or public security. There are only three situations in which deportation is allowed.

The first requires that alongside the public policy or public security reasons, deportation can only be allowed if adequate consideration of various factors are taken into account. These include how long the person has been living in the country, their age, health, family and financial situation, and how well they’ve integrated into society.

The second situation concerns permanent residents, those who have have lived in a member state for five years or more (you are not required to have documents proving this, though it is necessary for British citizenship applications).

For permanent residents, only serious grounds under public policy or public security will justify expulsion. What a “serious” ground is must be justified by the member states, but there is no guidance in the directive as to what constitutes “serious”. It must relate to a fundamental interest of society. These include preventing unlawful immigration, maintaining public order, preventing tax evasion, countering terrorism and preventing repeat criminal offences.

The third situation is for those who have been in a member state for the last ten years – or minors. In these cases, only imperative grounds of public policy or public security will be accepted. Again, “imperative” grounds are up to the member states to justify and the directive offers no definition. However, it is clear that they are stricter than “serious” grounds. Therefore, the longer you have been in a country, the more difficult it becomes to deport you. Case law has accepted being involved in a drug dealing organisation as an imperative ground of public security, but the general meaning of “imperative” remains unclear.

Despite the fairly high level of protection under these provisions, the UK has been known to interpret the public policy and public security reasons for deportation quite broadly, in some cases arguing that rough sleeping counts. This decision is now being challenged before the High Court. The EU has also not taken kindly to this behaviour. The European Commission is currently investigating whether the UK is actually targeting EU nationals and if so, the UK would be in breach of its obligations as an EU member state.

Human rights and deportation

In its letter to the Romanian national, the Home Office suggested he leave so as to “enjoy access to all your ECHR [European Convention on Human Rights] without interference”. But this seems a strange suggestion, given that the UK is also bound by the ECHR and the government stated earlier this year that are “no plans to withdraw” after Brexit. It should, therefore, also be committed to conferring such rights without interference.

Article 8 of the ECHR protects the right to private and family life and deportation has previously been deemed an interference in this. The Home Office’s suggestion that EU citizens should go elsewhere to seek better protection makes it appears as if the UK wants to wash its hands of anyone burdensome in their territory, and certainly of its obligations under the ECHR.

The ConversationLaws exist to protect EU citizens from being deported. Yet, the Home Office seems to want to downplay the obligations that it is bound to ensure under EU law, but also under the ECHR. Attempting to shirk its responsibilities even before Brexit has occurred does not set a positive precedent for the protection of EU citizens’ rights going forward.

Adrienne Yong, Lecturer at The City Law School, City, University of London

This article was originally published on The Conversation. Read the original article.


CJEU Advocate General opines on the definition of a data controller, applicable national law, and jurisdiction under data protection law

Henry Pearce
Lecturer in Law, University of Hertfordshire, and Doctoral Researcher at the Institute for Law and the Web at the University of Southampton.

This article was originally posted on the Peep Beep!, a blog dedicated to privacy and information law.


‘Cruise control for the social media age, or stuck in second gear?’ The issue of defining data controllership is “particularly thorny” says AG, and looking to become thornier as complete control is becoming less and less common in practice

Last month, Advocate General (AG) Bot of the Court of Justice of the EU (CJEU) delivered an opinion which, although non-binding in nature, could potentially have far-reaching consequences for the development of data protection law in the EU. The non-binding opinion concerns a number of questions brought before the CJEU in relation to case C-210/16, which concerns a dispute between a regional German data protection authority (DPA) and a private education company, Wirtschaftsakademie Schleswig-Holstein GmbH (an education company). The main issue for the AG to consider was whether the German DPA was entitled to utilise its powers of intervention under the Data Protection Directive (DPD) against the education company, despite the fact that the latter was considered by the German courts not be a ‘data controller’ for the purposes of the definition of this concept under Article 2(d) DPD (“the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data”).

The request for a preliminary ruling concerned the legality of an order made by the DPA against the education company, which required the latter to deactivate a fan page hosted by Facebook Ireland, the entity that Facebook Inc has designated the controller of personal data processing by it in the EU. (A Facebook fan page is a special Facebook user account that individuals and businesses to set up in order to promote themselves, usually for the purposes for commercial purposes).

The DPA had alleged that, by failing to inform end users visiting the fan page that their data would be automatically collected by Facebook via cookies installed on their computing equipment, the fan page infringed a variety of provisions of German data protection law implementing the DPD. These data were collected via Facebook for the purposes of compiling anonymous statistical information, which would benefit the education company, and for the purposes of refining Facebook’s targeted behavioural advertising endeavours. By contrast, the education company argued that it was not responsible for the activities carried out by Facebook, including the automatic installation of cookies on end users’ computing equipment, and therefore it was not a data controller in respect of such personal data processing, and so it should not be subject to the exercise of the powers of the German DPA.

After being contested in the German Administrative Court and the Higher Administrative Court, the German Federal Administrative Court agreed that the education company was not a controller because, it concluded, the organisation had no power to influence the collection of personal data or the purpose of any subsequent processing in this context. However, in its request for a preliminary ruling to the CJEU, the Court asked for clarification on six questions, which can be summarised as follows:

  1. Are data controllers the only parties capable of incurring liability and responsibility for data protection violations? Alternatively, do DPAs have jurisdiction to exercise their powers of intervention under Art.28 DPD in relation to undertakings that are not data controllers per the DPD’s definition?
  2. Under Art.17(2) DPD, is it possible to infer a possible duty for making the same careful choice in respect of other multi-tiered information provider relationships, other than those between controllers and processors? (This provision specifies that in sub-contractual relationships, where a data controllers delegates data processing activities to a dedicated data processor, the controller is under a duty to choose a processor which provides sufficient guarantees in respect of technical security and organisational measures in respect of the processing to be carried out).
  3. Where an undertaking is primarily based outside the EU (e.g. Facebook), but has subsidiaries established within the territories of the EU (e.g. Facebook Germany and Facebook Ireland), is the DPA of one EU Member State entitled to use its powers of intervention against a subsidiary based in its territory but not responsible for making determinations in respect of the purposes of the collection and processing of personal data throughout the EU, whilst another subsidiary of the same undertaking based in another Member State has this responsibility?
  4. Where a controller has an establishment in one Member State responsible for determining the purposes of acts of personal data collections and processing (e.g. Facebook Ireland), and another legally independent establishment in another Member State whose responsibilities are restricted to marketing activities targeted at the inhabitants of that Member State (e.g. Facebook Germany), is the DPA of the latter Member State entitled to exercise its powers of intervention against the establishment in its territory, or are such powers exercisable only by the DPA of the Member State where the determinations regarding the collection and processing of personal data are undertaken?
  5. In cases where the DPA based in one Member State exercises its powers of intervention against a person/entity in its territory (on the grounds of failing to exercise due care in choosing a third party located in another Member State to be involved in personal data processing activities due to that third party being an infringer of the DPD), is the DPA bound by the appraisal of a DPA from the Member State where the third party is based, or can the DPA of the first Member State come to its own independent conclusion?
  6. Where the DPA of a Member State is in a position to conduct an independent investigation, does Art.28 DPD permit it to exercise its powers of intervention against a person/entity established in its territory on the grounds of an alleged data protection violation for which they are jointly responsible with a third party established in another Member State, or must it first request that a DPA of the Member State where the third party is based exercise its own powers before it is permitted to act?

In response to the first two questions, the AG argued that both were premised on the mistaken belief that a Facebook fan page could not be a controller for the purposes of the DPD. This, he suggested, was fundamentally wrong. Whilst acknowledging that, first and foremost, the administrator of a Facebook fan page is an individual end user of Facebook, the AG said that this in itself is not enough to preclude it being responsible for the collection of user data by Facebook itself. Drawing on the definition of controller contained in Art.2(d), the AG argued that so long as the administrator of a fan page has influence over, or can “determine”, the purpose and means of any data collection and processing linked to end users visiting the page, they will be a controller for the purposes of the DPD.

So why exactly, on the facts of this case, did the AG conclude that the administrator of this particular fan page was definitely a controller? In short, this conclusion was primarily based on two main factors.

  • Firstly, the collection and subsequent processing of user personal data by Facebook would not have been possible if the administrator had not created the fan page. Accordingly, the creation of the fan page by the administrator represented an agreement to Facebook’s means and purposes of processing personal data, and therefore signified that the administrator had participated in the “determination” of those ways and means.
  • Secondly, due to technological insight tools offered by Facebook, fan page administrators are able to influence the specific way in which Facebook itself uses its data collection tools in relation to visitors to their fan page. This can allow the administrator to effectively define a personalised audience, and designate categories of users whose personal data will be collected. This, according to the AG, must also be considered as participating in the “determination” of the means and purposes of an act of data processing.

In circumstances similar to the immediate case, therefore, Facebook fan page administrators, as well as administrators of fan pages on similar platforms, must be considered joint data controllers along with Facebook. In reaching this conclusion the AG drew an analogy to help support his conclusion: if an undertaking were to make its own website and utilised similar tools to those made available through Facebook for the purposes of managing fan pages, it would undoubtedly be considered a controller. Accordingly, he argued, as there was no “fundamental difference” between the two scenarios, it would be wrong for the law to treat them differently!

In response to the third and fourth questions, the AG drew attention to the fact that, as mentioned, Facebook Ireland was Facebook’s designated data controller in the EU, whereas Facebook Germany was only responsible marketing endeavours aimed at German users. He then suggested that in order to answer the question of whether a DPA based in one Member State is entitled to exercise its powers of intervention in relation to processing activities for which a party in another Member State is responsible, it is necessary to first determine whether the DPA in the first Member State has the right to apply its own national law to the data processing in question.

Turning to the facts of this case, the AG opined that the German DPA was indeed entitled to exercise its powers of intervention against Facebook Ireland, despite the latter being based in another Member State. Specifically, he alluded to Art.4(1)(a) DPD specifying that acts of personal data processing will be governed by the law of the Member State in which said processing is carried out in “the context of the activities of an establishment” of a controller on the territory of that Member State. In other words, the applicability of the national law of any Member State to an act of personal data processing requires the controller 1) to have an “establishment” in that Member State, and 2) the processing must be carried out “in the context of the activities of that establishment”. With both these points in mind, the AG argued that as Facebook Germany has a registered office in Hamburg through which it carries out its business, it undoubtedly should be considered an establishment for the purposes of Art.4(1)(a).

In reaching this conclusion, the AG also drew on previous decisions of the CJEU in the Google Spain and Weltimmo cases (to reminder readers, posts about the latter decisions on this blog can be found here and here). The AG laid emphasis on the fact that – as Facebook Germany was responsible for marketing to German Facebook users – the personal data processed by it in relation to this must be considered as being “in the context” of Facebook Germany’s engagement with its users.

So, what does this mean for DPAs who find themselves in this context? The AG concluded that that the German supervisory authority indeed had the power to apply its own national law to the proceedings and could exercise all its powers of intervention to ensure that German law was applied by Facebook on German territory. In other words, neither the place where the processing is carried out nor where the controller is established are decisive in determining which national law applies to data processing activities.

Moreover, he argues that the suggestion that Art.4(1)(a) should be interpreted as requiring data controllers to have regard for the legislation of one Member State only was contrary to the wording of the DPD (specifically Recital 19, which mentions the possibility of the application of multiple national legislations to data processing activities), but also:

  • an inability for DPAs to target data controllers in other Member States would neuter their competency under Art.28 to uphold data protection law (as it is only through targeting the controller in a particular data processing operation through which any alleged infringements could be effectively combatted), and
  • allowing DPAs to impose measures on controllers that are not established in their own Member State would not represent the DPA overstepping its power, as the purpose of all DPAs is to ensure compliance with data protection law in all Member States.

Regarding the fifth and sixth questions, the AG concluded that a DPA must be able to use its powers of intervention in an autonomous way unfettered by any obligations to first correspond with, or defer to, another DPA.

The AG’s opinion is noteworthy for a number of reasons. Most strikingly, it perhaps represents a notable broadening of the notion of a data controller, a concept that already enjoys wide definition. If the AG’s approach were to be followed in the final CJEU judgement due imminently and adopted by the CJEU in future case law, this would seemingly open the door further to the possibility of individual users of social networking sites like Facebook to be categorised as controllers (a door the possibility of which has become to be wedged open under EU law in recent years), and therefore be made subject to the substantive tenets and provisions of the European data protection framework.

More generally, the AG’s expansive approach to the powers and abilities of DPAs regarding cross-border effects of personal data activities in the EU, as well as the applicability of national data protection law, may also raise interesting questions in relation to conflicts of laws and jurisdiction. What must also be kept in mind, however, is that after the GDPR replaces the DPD next May, the ‘One-Stop-Shop mechanism’ (discussed here by the influential Article 29 Working Party) will ensure that any regulatory action in relation to an alleged infringement of data protection law will be driven and overseen by the DPA located in an undertaking’s main EU establishment.

Meaning – after all that – if adopted, AG Bot’s approach on jurisdiction may be short-lived!