Last month, the Court of Justice of the European Union (ECJ) issued a ruling on the scope of EU member states’ jurisdiction over internet services. In Football Dataco Ltd v. Sportradar GmbH, the ECJ considered a jurisdictional issue related to the Database Directive, but its opinion could have broader implications for how the EU considers internet jurisdictional issues.
The defendant operates sports betting websites. The defendant, operating its web servers out of Germany and Austria, served content to users throughout Europe. As part of its operations, the defendant pulled live sports data from UK soccer matches. Plaintiffs brought suit in the UK for infringement of their database rights to that live sports data, noting that UK users accessed defendant’s websites. Among other defenses, the defendant claimed that the UK court lacked jurisdiction.
The parties disputed the theory under which to evaluate jurisdiction. Plaintiffs argued that the court should apply the “transmission theory,” under which a court’s jurisdiction extends to include the place where users interact with a website. Defendant countered that, under the “emission theory,” jurisdiction is limited to where the web servers are located.
The lower court referred two questions to the ECJ:
- whether the defendant had engaged in an act triggering liability under the Database Directive; and
- whether that act occurred in the member state where data originated, was received, or both.
After determining that defendant’s acts constituted a violation of plaintiffs’ rights under the Database Directive, the ECJ turned to the jurisdictional question. The court concluded that, at a minimum, the member state in which users received data could assert jurisdiction only if “the act [of transmitting data] discloses an intention on the part of the person performing the act to target members of the public in” that member state.
Although this decision was limited to the jurisdictional scope of the Database Directive, the same reasoning could be adopted by the EU more generally in focusing jurisdiction under the proposed EU data protection regulation. The current draft regulation would extend jurisdiction to data controllers anywhere in the world if they are engaged in “the processing of personal data of” EU data subjects for either “the offering of goods or services” or “the monitoring of their behavior.” The term “offering” may cover all websites which do not explicitly exclude EU citizens from their goods and services. The EU could instead focus jurisdiction on the idea of “targeting” in line with the reasoning of the ECJ opinion, thereby providing a limit to the jurisdictional reach of the proposed regulation. This would avoid applying EU data protection law indiscriminately to the entire internet, which the ECJ warned against in 2003 with regard to the existing Data Protection Directive.