GDPR engagement of 30+ additional jurisdictions – automated pleadings
Stuart Ritchie
03.11.2018
Abstract: (1) The GDPR arguably, either directly or indirectly, could engage in a relatively straightforward fashion circa 30 jurisdictions apart from EU and EEA nations; plus some special jurisdictions such as places in northwest Africa, as implied by the Polisario jurisprudence. Pleadings for several such jurisdictional scenarios are explained. (2) My post on Brexit-proofing software contained an example of how jurisdictions might be embedded into a legal architecture artefact. That same example is reused to demonstrate how such pleadings can be automated. (3) Several special features of GDPR litigation also manifest within the pleadings.
References:
Post on Brexit-proofing Brexit-proofing
Excerpt from Jurisdiction artefact: la2.082b.jurisdiction.
Truncated Pleadings associated with the (full) jurisdiction artefact: Josephine_Bloggs_v_MegATech_Inc_Particulars_of_Claim_truncated.pdf.
Introduction:
Please read absolutely everything I say below as if it had the prefix "It is submitted that…".
I’ve been meaning to exhibit parts of this document for a while. Most proximately, some time ago I promised to answer a question on Quora from a lawyer asking what US lawyers need to gain a better understanding of the GDPR. I thought I’d start with the possibilities of unexpected jurisdictional engagement in respect of both parties, legal burden of proof, and so on. And I’m getting sick of repeating myself on forums. So what better way to exhibit legal concepts than to demonstrate how they’re pleaded… remembering from my own legal education I never really understood the law (even to a basic level) until close to the end of my vocational training when I was getting down and dirty and pleading real stuff in Court. Sink or swim: it’s a hard school. 1
To minimize size and tedium I exhibit for discussion only the first 12 substantive paragraphs of the pleadings. These cover more than enough for one post.
Accordingly I’ve redacted 89 paragraphs relating to the precise case-specific remedies sought by the plaintiff, setting out the circumstances and associated pleadings and remedies demanded. However I also include the final prayer (which I won’t discuss here), just to give you a taste for what a full-blooded GDPR claim / class action might demand.
The pleadings were auto-generated by a software app that (I kid you not) knows absolutely nothing about law – indeed I built it before the first GDPR draft emerged. Even the algorithms are encapsulated in metadata – which is tested in other legal subject matter areas, including wills, letters before action, Part 36 Offers, construction of multinational multilingual (English-Pinyin) heads of agreement (which was serious fun), etc. The same engine works equally well for all.
I’m going to explain the pleadings, paragraph by paragraph, ignoring para 1 which (self-evidently) is a note to the court. I quote the text here, but to see the context-specific hyperlinking you’ll have to open the referenced document
Caveat: In these pleadings I deliberately, albeit very selectively and with a "higher" purpose 2, break just about every drafting rule I was taught. So caveat emptor, and please don’t try this at home, you’ll just annoy the Court.
Paragraph 2: The Claimant is Josephine Bloggs, a child who is a citizen of Bermuda, Greenland and United States, a domiciliary of England and Wales, presently (at date of these Particulars) located in Sweden, residing at 1 Cabbage Tree Lane, Fairy Meadow, Bogshire, BG1 2AA, England and Wales, evidenced by the "record of conference" annexed to these Particulars as Annex ROC.
This is the "mandatory" para identifying the plaintiff and material legal contexts. It appends a reference to the evidence. So far so yawn. However it identifies the plaintiff’s nationalities, domicile, location, and residence. These legal attributes variously are of significance to different applicable data protection laws (and indeed most laws) around the world. Very unusually, all four attributes are important here for different reasons:
location is and remains the most obvious attribute to trigger GDPR engagement from the plaintiff’s perspective; domicile is the key attribute for the tort of misuse of private information; residence may be relevant to procedural law and procedural treaties and also, once engaged, GDPR Articles 79/82 and the Charter; and the specific nationalities of this specific plaintiff (unusually) may be material to the question of GDPR engagement, as explained below.
Paragraph 3: Despite Bermuda and Greenland not being Member State(s) of the European Union, by virtue of the Claimant’s citizenship of Greenland the Claimant is a citizen of the European Union (as material to paragraph 10.6 post).3 4
This is inserted only if the plaintiff’s nationalities attract the attention of the app via the jurisdiction artefact’s records of which referenced jurisdictions may attract EU citizenship de jure or as of right or by way of eligibility. I understand 5 that Greenland is an example of the first type.
Paragraph 4: The Defendant is MegATech, Inc, of 1109 Ropiff Road,, Scampton, Californ-i-ay 12345, registered as company number 12345678, and established inter alia in North Carolina, Aruba, Bermuda, Greenland, Jamaica and Mayotte. The Defendant processes or at material times processed the Claimant’s personal data.
This is the "mandatory" paragraph identifying the Defendant and explaining its nexus with the plaintiff. The only unusual aspect of this is the identification of a number of jurisdictions 6 in which it is established for the purposes of the scenario. We might postulate the Defendant might think that it’s not engaged by the GDPR simply because of the jurisdictions in which it is physically present. Such a Defendant might be utterly wrong, even in respect of those jurisdictions alone.
Paragraph 5: In respect of each of its processes (evaluated separately) processing the Claimant’s data the Defendant is a controller, alternatively a processor, within the legal meanings set out in the General Data Protection Regulation 2016/679 ("GDPR"), an instrument of the European Union ("Union", "EU") enacted into UK law for declarative and all other purposes except enforceability 25th May 2016 and re-enacted into UK law 23rd May 2018 (data subject rights enforceable from 25 May 2018).
Up until the word "processor" this is conventional, drilling down to the nexus of the case. Then I carefully and very deliberately break the legal drafting "protocol" prohibition on mentioning the law. 7. The declaratory aspects of the GDPR are extremely important in the context of silly "ignorance" defences, regulatory action, exemplary damages, and international comity in respect of all international agreements or laws conflicting with the GDPR, as already repeatedly signalled within the GDPR and in external Court cases 8 After 14 years of abuses 9 which form a key part of the background of why the GDPR exists). Just one more stupid move by a third country lower Court could spark the GDPR trade war for which both sides already are geared up, so we have to be clear and careful about this.
Paragraph 6: Further or alternatively, the Defendant processed the Claimant’s law enforcement-related data between 6 May 2018 and 22 May 2018, 10 and is a ‘controller’ alternatively ‘processor’ within the meanings defined by the Law Enforcement Directive 2016/680 ("the LED"), directly effective in the UK from 6th May 2018 to 22nd May 2018 and accordingly actionable as set out in Annex LED separately annexed to these Particulars by reference.
This is an optional paragraph strictly dependent on plaintiff evidence on specifics of defendant processing.11 Fun fact: by intentionally shoehorning everything including the LED and PNR Directives and local smorgasbords of legislation into a single horrifically ghastly Data Protection Act 2018, literally 4 times the size of the GDPR and arguably 16 times as complex and even more spectacularly obfuscatory than the 1998 enactment of the same name12 which all had thought impossible, the UK government ended up implementing the LED in May 2018 weeks after the statutory deadline. In so doing the UK machine-gunned itself in the foot so spectacularly that they’ve let EU law into the frame, directly applicable in the UK without the benefit of local implementation, for more than five years post-Brexit. However I have no intention of making any adverse comment as to do so would be grossly unkind to our remarkable multi-skilled and hyper-focused Department for Digital, Culture, Media, and Also Sport. 13
Paragraph 7: The Defendant maintains a physical establishment in a Member State of the Union alternatively in Outermost Region jurisdiction(s) (Mayotte) which necessarily are part of the Union de jure , and operates a web site https://www.megtech.com which is accessible to data subjects in the Union, further or alternatively rendered in at least one of the Official Languages of the Union. Accordingly the Defendant has an establishment in the Union.
Getting down to the nitty-gritty here. This is GDPR engaging by Article 3(1) via three alternative routes under the peculiar circumstances of the Defendant. As a matter of law Mayotte is part of the Union despite being in the Indian Ocean, and that’s decisive in itself. But failing that, establishment case law includes having a web site accessible to people in the Union (evidenced). On top of that, establishment case law includes having a web site that is served in one of the (many) official languages of the Union (evidenced).
For the IT geeks, the app knows from the metadata tests against the Jurisdiction artefact (admittedly from one of its many columns not exhibited in the extract) that Mayotte is part of the "outer-most regions" particularised in the EU treaties as amended. Otherwise it’s told not to plead it. See paragraph 10 for more jurisdictional subtleties, as well as hyperlinks to some of the material treaty Articles.
Paragraph 8: Further or alternatively, the Defendant offers goods and services (whether or not at financial cost) to data subjects in the Union.
Article 3(2)(a) is pretty easy to establish if you offer anyone anything at all and you permit access to your web site from people who currently physically are in the Union (yes, of course includes Mayotte and the other eight jurisdictions that qualify as Union territory de jure).
Paragraph 9: Further or alternatively, the Defendant expressly alternatively impliedly processes data categories such as profiling (inclusive of (actual) profiling, alternatively potential subsequent… profiling), from which as a matter of law the Defendant monitors data subjects in the Union.
Ok, this is engagement by Article 3(2)(b). There are two problems here for people’s comprehension, especially for lawyers and technical people.
First, monitoring in the GDPR doesn’t mean anything like (though it’s inclusive of) what people think it does, which is colloquial.Rather, its meaning is technical. Go into the file, follow the links to Articles/Recitals, nut it out and you’ll appreciate at core it boils down to profiling. 14
Secondly, IT folk and applied mathematicians (sorry, "data scientists"), most of whom have a kind of innate understanding of profiling, don’t understand law.
While lawyers, who’ll be able to parse this definition from the top end down, have never heard of profiling because the P-word is almost never used in judgments, and when it is tends to be used in ways not relevant to current purposes. For example to me the classic profiling case is Vidal-Hall v Google at EWCA level, which really mentions the P-word only in the context of facts dissociated from the key argument. This is of course a vicious circle, but one out of which the lawyers soon will have to break in a hurry.
TL;DR: if you theoretically could in the future profile (for example, target advertisements to) anyone in the Union (arguably even if they happened to be there only in the future), then GDPR engages you anytime someone wants it to.
Paragraph 10: Further or alternatively, the Defendant is established in Mayotte, Aruba, Bermuda and Greenland, jurisdictions formerly part of Member States. By virtue of public international law Member State law applies in such places, in that they (variously): (a) are members of the 9 Outermost Region jurisdiction(s) (Mayotte) which necessarily are part of the Union de jure, and for whom further special provisions are made in the European Union Treaties. (b) are members of the 22 OCTA member jurisdiction(s) (Aruba, Bermuda, Greenland and Mayotte) for which special provisions are made in the European Union Treaties including but not limited to TFEU Articles 198-204 and Articles 349-355 as subsequently amended from time to time by Council Decision as empowered by Articles 201, 203, 349, 352, and 354. (c) are determined by the United Nations to be Non-Self-Governing Territories (Bermuda). (d) lack full domestic autonomy (Mayotte). (e) fall within the non-subject-matter persuasive scope of the interminable Polisario jurisprudence (Mayotte, Aruba, Bermuda and Greenland). (f) are places within which the Claimant’s EU citizenship alternatively potential eligibility for or legal entitlement to EU citizenship, further engages Polisario principles (Greenland, Aruba and Mayotte).
At last. We arrive at the fun stuff. Article 3(3). Which every other lawyer in the world for no discernible reason assumes is about embassies.
But that’s not what it says.
So I here set out a number of different pointers, each which applies to a different combination of Defendant jurisdictions and/or Claimant nationality. To get home, the plaintiff needs only a single hit from any of the jurisdictions mentioned in any of these six pointers.
Special notes / caveats on paragraph 10, in no particular order:
The 10(f) pointer test is the sole reason that paragraph 3 is pleaded. Nobody knows how well this stuff will play until it hits a court of competent jurisdiction – which (except for class actions intensively managed by the Court) almost never will be the court of first instance.
The first two pointers encompass a total of nearly 31 jurisdictions (it looks like exactly 31, but actually there’s an overlap). The others (including Polisario scenarios) encompass many more for which arguments might be raised. I really can’t quantify the scope of this. Anyway, 30+ looks a good finger-in-the-wind starting number.
I might be right on these pointers. I might be quite wrong. Some of them undoubtedly will fail, at least for certain jurisdictions claimed. It’s a lottery. That’s why you plead this kind of thing shot-gun. There certainly will be other pointers that emerge. Normally this is the kind of thing that emerges quite slowly. But not even that is certain I won’t discuss the Polisario points here. That’s for skeleton/ written submissions. Besides, sometimes even I have a life.
The first pointer is actually duplicated from paragraph 7. This is because it’s such a good point that even if it somehow fails for Article 3(1), it’s still worth coming back for a second bite in Article 3(3) to which it’s perfectly aligned.
Never mind, there’s some good news! Truly sad IT geeks will ask: whatever happened to Jamaica? After all, it’s in the extract, and it’s one of the Defendant jurisdictions. And it’s a former colony of a Member State. So where is it?
The answer is: it’s simply a "control jurisdiction" for my testing. The Jurisdiction artefact metadata takes the view that Jamaican establishment will not qualify for GDPR engagement on any test associated with the specified six pointers. Therefore Jamaica does not appear in any.
Bluff-calling time. I’m not a public international law specialist anyway, so what would I know?
Fair enough, almost nothing of course… But I’ve simply raised the issue for you on a platter, and I ask you two very simple questions: was the Counsel that thought you were not engaged, based on your physical non-presence in the Union, a public international law specialist? …and did your factual instructions include all the nominally non-EU jurisdictions in which you operate?
Remember. When giving factual instructions to Counsel you’re instructing a computer: GIGO. Garbage in, garbage out.
Paragraph 11: As a result of any or all of the matters set out from paragraph 7 above, the Defendant’s processing of the Claimant’s personal data is engaged by the GDPR, further or alternatively by the LED.
This really just pleads the defendant is bagged by one or more components of Article 3 (and/or the LED as and when opportunity offers itself).
Paragraph 12: [just repackages Article 5, very deliberately using the same words, while being well-behaved for a change by not actually mentioning the law].
Paragraph 13: Further, as a result of paragraphs 11 and 12 above , as a matter of law the legal burdens of proof associated with the remainder of these Particulars fall upon the Defendant whenever any of the Accountability Principles are engaged
This is tantamount to a global reversal of the legal burden of proof from plaintiff to defendant. This is so important that against pretty much every single head of claim in the main body, the first thing I plead is, simply, "Paragraph [ref] above is repeated." Just to remind the court of this very exceptional rule by which most of the arguments in the case must be assessed. It’s common for the burden of proof to switch from time to time depending on the established rules (such as the law of evidence) governing the precise context. But it’s very rare for the defendant to shoulder the burden by default, and courts, instinctively will think otherwise.
There are other parts of the GDPR that expressly switch the legal burden of proof, either expressly by reference, or impliedly via import of artefacts such as statutory unfairness (Directive 93/13) and "rights and freedoms" (the Charter). But none switch it so "globally" as Article 5(2), because of the very wide-ranging accountability principles set out in Article 5(1).
Conversely, the plaintiff still has to prove that the GDPR is engaged. But once there, the defendant must disprove everything the plaintiff argues, or lose by default. That doesn’t mean the plaintiff can just spout the usual rubbish my clients always tell me is gospel truth – the "evidential burden" of proof still must be satisfied. But "my dad/my boss/the police told me that the moon is made of green cheese" is just about enough to satisfy the evidential burden for the pleading "the moon is made of green cheese". 15
This is super-critical. Especially for mass tort cases. Enough said!
As I promised at the beginning, I’m not going to discuss the 20+ remedies sought in the prayer (cf para 103). By all means read it and weep (or laugh) according to taste (and expertise). That’s why it’s there. How I get to those remedies, on the other hand, may be covered in future posts. But I’m afraid it may be a while coming – this took far longer to draft than I expected, and I’ve failed on expectations management before…
I should say that the "pleadings engine" app technically is not part of GDPR360 or its compliance software – though it shares a few hundred of the purely infrastructural Java classes. More significantly, it now fully shares the same legal architecture, along with the LA’s 40-odd classes. I decided to develop compliance software first, suspending pleadings work for four years. Now that it’s done, I’ve been retrofitting the legal architecture to the pleadings. So, though technically disconnected and using radically different frontends (to collect article 30 artefacts etc rather than conducting e-conferences, despite sharing identical metadatadictionary schemas and identical asynchronous communications protocols), in respect of the law they mirror each other – the more the one tends to think you’re compliant, the more pleadings you’ll de facto have eliminated from the other. And vice versa.
Most importantly for legal departments and their interaction with IT and the business, an available pleadings engine eventually might allow lawyers independently to wargame their compliance before their data subjects do, simply by answering questions, for example on their own Notifications, etc. The resultant pleadings may surprise them. And, of course, we mustn’t forget the way a competitor screwed over Google a few years back by a Blackpool Postcard (public enforcement request) resulting in a multi-billion fine for infringements of… data protection law.
I didn’t plan to end up sounding like a kind of mini-Krupp – it just turned out that way!
Read absolutely everything I’ve said above as if it had the prefix "It is submitted that…".
Please read the Disclaimer at https://www.gdpr360.com/disclaimer.
1 Academic law is too often as well presented as, and consequently as clear as, mud. Thus the very best law textbooks I’ve ever had are drafting practitioner texts: a precisely drafted precedent is a model of clarity and a thing of beauty and a joy forever. (ok, I’m a geek)
2 of assisting the Court to understand the facts and the law much faster than is possible with purely "paper" pleadings and conventional advocacy
3 When this para forward-references paragraph 10.6 it actually should read 10(f). Apologies for any confusion. Atm forward-referencing uses the default format and doesn’t check which alternative paragraphing format is actually selected by the referenced paragraph’s design rules – this is such a minor bug I haven’t yet found time and motivation to address it.
4 Actually this forward-referencing also is one of the drafting rules I’ve arguably broken – oral advocacy is presumed absent and in the context of the pleadings frequently being unavailable otherwise than in the print version, the connection is too non-obvious to justify substituting an internal hyperlink.
5 as I don’t practise law in Greenland I resort to the same diffidence that counsel must adopt to avoid misleading the court if uncertain.
6 One or two of these might be seen as low-tax regimes, but that’s not the purpose here. That said, I observe many of the Paradise Papers jurisdictions aren’t a million miles away from the arguments set out below for GDPR engagement, which I suspect just might get some lawyers thinking hard
7 This prohibition I think is due to Courts always knowing the law and disliking being preached at or "snowed" by idiotically sanctimonious lawyers. So it’s entirely reasonable and understandable. Sadly it overlooks the minor detail that in the adversarial common law system, which relies on the guidance of usually non-specialist judges by professional specialist advocates, such legal omniscience is a polite fiction in respect of (a) the knowledge in general of the average part-time deputy district judge conveyancing (or whatever) specialist before whom our little litigant in person might appear; (b) data protection law in particular. Certainly it can be (and is) put into the written endnote submissions, but I consider the occasional ire of the Court from such "front-loading" a worthwhile risk in ensuring the message gets across. I may be wrong…
8 for example in the EU’s December 2017 amicus brief to the US Supreme Court in US v Microsoft.
9 for avoidance of doubt this is NOT a reference to the USA per se, plenty of third country governments and Courts including those of my own nation have been abusive
10 endnote 12 "inexplicably" appears at this point. Amusingly, this is not a bug per se. What’s happening is that all the other endnotes are suppressed pending my fix of a bug not visible here.
11 The targets of this are not so much law enforcement agencies (even if they think they can deceive their way out of GDPR compliance), so much as to open a new flank on the more disreputable private sector enterprises that pretend to a law enforcement function while, for example, refusing to disclose CCTV to people wishing to bring civil or even criminal cases.
12 That nobody arguably including myself understood either.
13For the same reason, the hyperlink to my rudimentary skeleton on the point is deliberately disabled.
14 In my deep-dive GDPR course I spend a whole module on profiling – almost ten percent of the course.
15 As a human I’d still refuse to plead it, not because of misconduct by way of failing to satisfy the evidential burden, but because of misconduct by way of simple incompetence (so don’t expect to be awarded declaratory relief on the moon being made of green cheese, and you do appreciate you’ll make it much easier for the defendant to prove you’re a kook generally, don’t you?).