A. Background
In 1995, the EU significantly began protecting its citizens’ personal data with the Data Protection Directive (DPD). DPD Article 25 mandates EU countries transferring personal data intended for processing to third countries to find that the third country “ensure an adequate level of protection.” Absent such a finding, data controllers can transfer data only after ensuring “adequate safeguards” are in place, and “such safeguards may in particular result from appropriate contractual clauses.” The European Commission accordingly published three sets of SCCs under the DPD in 2001, 2004, and 2010.
To satisfy an Article 25 finding of adequacy, the United States issued the Safe Harbor Privacy Principles in 2000, and the European Commission recognized the system of voluntary self-assessment of U.S.-based companies. But, in 2015, the Court of Justice of the European Union (CJEU) invalidated the Commission’s decision and the Principles. In response, in 2016, the EU and the United States agreed on the EU-U.S. Privacy Shield as a replacement system, which the Commission approved. The Shield came into effect in 2016, and numerous U.S.-based companies joined it to easily comply with the GDPR.
The GDPR then entered into force in 2018, twenty-three years after the DPD. While the DPD was not binding on all EU member states, the GDPR is a uniform law. The GDPR maintains the transfer of personal data pursuant to an adequacy decision made by the European Commission, per Article 45(3). Alternatively, personal data may be transferred “only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.” One of the recognized “appropriate safeguards” is “standard data protection clauses adopted by the Commission . . . .” Thus, parties transferring data must comply with GDPR standards.
In 2020, the CJEU, in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Schrems II), invalidated the EU-U.S. Privacy Shield but upheld the European Commission Decision 2010/87 by holding that SCCs are a valid ground for transferring personal data outside the EU. The court reasoned that the Privacy Shield lacked the force of law in keeping personal data from being viewed by governmental agencies, but SCCs, with requisite assessments, are “effective mechanisms which, in practice, ensure that the transfer to a third country of personal data . . . is suspended or prohibited where the recipient of the transfer does not comply with those clauses or is unable to comply with them.”
B. The New Standard Contractual Clauses
The update in the SCCs is important to note because “SCCs are the dominant mechanism for cross-border transfers of personal data among commercial entities.” It is likely the SCCs will be increasingly employed now that the EU-U.S. Privacy Shield has been invalidated. The new SCCs comply with data protection updates in the GDPR, the Schrems II decision, and introduce increased flexibility for contracting and affected parties.
The SCCs incorporate the developments in data protection the GDPR introduced, while offering a broader definition of personal data; the definition covers such “online identifiers” as IP addresses or mobile device identifiers, geolocation and biometric data, and online behavior. The GDPR provides additional safeguards for this data, such as a right of access, erasure, and objection to processing for direct marketing. Further limitations on how the data may be used are also available. For example, while the DPD did not allow profiling, the GDPR Article 22 mandates suitable safeguards not only for profiling but a broader approach of any automatic processing with legal effects, including decision support systems.
In accordance with the GDPR, the SCCs place heightened responsibilities on data processors and controllers. Responsibilities for the data exporter, whether a controller or a processor, include guaranteeing appropriate data protection safeguards. Further, while the controller is given flexibility in how to structure compliance, the controller assumes the responsibility for making sure that the processing entity compensates for gaps in the law. Additionally, the data exporter must provide data subjects with information regarding intent to transfer their personal data, including the categories of personal data processed, the right to obtain a copy of the standard contractual clauses, and any onward transfer. Meanwhile, the data importer must document its activities and notify the data exporter if it believes it may not comply with the SCCs. The data importer must also inform data subjects of a contact point and deal promptly with any complaints or requests. Finally, each party must ensure that the data is accurate and that only necessary data is transferred.
Before any transfer can occur, however, the parties must undertake a transfer impact assessment, which must be documented and made available to EU data protection regulators upon request. The SCCs follow the risk-oriented obligations of the GDPR in providing several aspects parties must consider when warranting “that they have no reason to believe that the laws and practices in the third country” would “prevent the data importer from fulfilling its obligations.” The SCCs also obligate the parties to continuously monitor compliance, and failure to comply with the clauses or to suspend transfers upon lack of compliance exposes the parties to liability not only to data subjects, but also between the parties.
Clause 15 of the SCCs also complies with the Schrems II decision by obligating the data importer to maintain records of and notify the data exporter when it receives a request for access from public authorities whenever possible. The data importer is also required to challenge any requests from public authorities that it believes to be unlawful and employ available appeals processes. These protocols comply with the Schrems II decision that, per Article 46(1) of the GDPR, data subjects need access to “appropriate safeguards, enforceable rights and effective legal remedies.”
Data subjects may invoke and enforce the clauses as third-party beneficiaries, with limitations as to the obligations of data processors and controllers. In the event of a dispute, the data subject can invoke third-party beneficiary status and lodge a complaint with a supervisory authority or refer the dispute to the courts in the EU.
The SCCs offer a greater degree of adaptability to different business relationships; there are four modules that cover data transfers between controller-controller, controller-processor, processor-processor, and processor-controller. Previous SCCs did not contemplate processor-to-processor or processor-to-controller transfers. Significantly, a data exporter and processor can now be a non-EU entity, which broadens the GDPR’s international reach. The SCCs also provide more choices for governing law and venues during disputes, and more than two parties may adhere to the contract terms through the optional docking clause. It is worth noting that the SCCs cannot be modified but can be amended without restricting the “fundamental rights or freedoms of data subjects.”
C. Going Forward
After September 21, 2021, businesses and other entities must use the new SCCs to conduct data transfers. As for businesses transferring data under the previous SCCs, the transfers must comply with the new regulations by December 27, 2022. If entities do not comply with the regulations, they will be subject to legal redress, such as court proceedings, audits, any measures adopted by GDPR-established data supervisory authorities, or administrative penalties up to four percent of the annual gross revenue of an entire corporate group.
It is imperative that companies transferring personal data, as the GDPR broadly defines it, review the policies and contracts under which the data is transferred and understand their new responsibilities. The data transfers may now encompass, among other things, human resource records, performance reviews, employee benefits, and user logs. Parties to the SCCs must assess how to, for example, conduct transfer impact assessments.
While there are certainly benefits in expanding data protection regulations, the Schrems II decision introduced further uncertainty into the issue of data transfers by invalidating the EU-U.S. Privacy Shield, and, while the new SCCs seem to comply with the decision and the GDPR, there are still unresolved concerns. The first concern is how broadly EU and GDPR law applies, although it has been suggested that the scope of the commercial purposes determines the application of EU law to third countries during a transfer, with EU law extending to post-transfer processing on the condition that it takes place for commercial purposes, rather than on behalf of national security agencies. The continued transfer of data to the United States also remains under threat, as neither Schrems II nor the SCCs eliminate the risk of governmental interference. The updated SCCs represent the EU’s latest effort to enforce European law in other jurisdictions for cross-border transfers of data again, a venture whose fate may lie with the courts.
II. Three Years of GDPR: Enforcement (or Lack Thereof) and Its Impact on Cross-Border Contracts
A. Introduction
The GDPR is well-intentioned and, when it was introduced, had high expectations for changing practices in the business world. In 2021, three years after its adoption, although there are strong examples of penalties and fines being imposed on businesses, the question remains: Has GDPR enforcement (or lack thereof) changed the way cross-border contracting is carried out?
This article will address the GDPR’s initial plans for enforcement, actual instances of enforcement over its three years of existence, and whether anything about the GDPR has changed cross-border contracting practices.
B. GDPR Plans for Enforcement and Expectations
In 2016, the GDPR was introduced as a regulation to govern all data privacy in the EU, replacing the EU Data Directive. The ultimate goal of the GDPR is to protect the “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.” In the second recital of Article 1, the regulators state that the GDPR “is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.”
As of 2018, during implementation, the GDPR contained specific provisions to govern fundamental rights and freedoms in data privacy, as well as governance over the use and transmission of data.
Cross-border transfers are primarily governed under Chapter V of the GDPR, which includes Articles 44 through 50. Article 45 allows for transfers of personal data when the recipient country or international organization “ensures an adequate level of protection.” If a country does not provide an adequate level of protection, Article 46 permits transfers when appropriate safeguards are in place. If there is neither an adequacy decision nor appropriate safeguards in place, Article 49 provides for specific derogations under which cross-border transfers of personal data may be permitted.
The text of the GDPR outlines several avenues for enforcement. Contingent upon the type of infringement, Article 83 permits administrative fines up to €20 million or four percent of a company’s total worldwide revenue in the preceding financial year, whichever is larger. Recital 129 affirms that supervisory authorities have the power to ban or limit the ability of violators to process data.
Data protection authorities (DPA) are responsible for monitoring the application of GDPR and handling complaints. Although investigations of complaints are overseen by the supervisory authority where the company in question has its main establishment, the consistency mechanism under Article 63 requires cooperation and coordination between data protection authorities of different member states.
The following sections assess whether enforcement has considered elements of cross-border contracting and whether any considerations have impacted the trends in cross-border contracting, via data transfers or otherwise.
C. Actual Enforcement
Since inception, supervisory authorities have levied approximately 1,034 fines and €1.6 billion in penalties for violations under the GDPR. While this amount seems impressive, enforcement has been lackluster, and many critics comment on the slow uptake of recommended enforcement mechanisms across EU member states. Limited resources, insufficient funding, and inadequate staffing have impeded enforcement—particularly in Ireland, the main establishment of many major tech companies, including Facebook, Twitter, Google, and Apple.
The consistency mechanism has also hindered the speed of investigations, as cases become backlogged while awaiting input from various DPAs. These frustrations even prompted the head of Hamburg’s data protection commission to claim that the GDPR was “broken.” “At the end of the day,” he stated, “our energies are spent on infighting.” This demonstrates that enforcement of the GDPR leaves much to be desired.
Nonetheless, in 2021, authorities appear to have ramped up enforcement. Between January and November 2021, DPAs filed 395 fines against companies, totaling €1,058,690,920 (which represents eighty-one percent of all fines issued from the inception of the GDPR to November 2021).
With respect to cross-border data transfers specifically, few cases have addressed it. Furthermore, looking back on the examples of enforcement in 2021, little attention is paid to contractual language or processes. In fact, in 2021, DPA’s analyses of violations have quoted articles from Chapter V of the GDPR in only nine out of 313 fines arising from enforcement.
Looking back at 2021’s most notable and significant penalties for breaches of the GDPR, most fines related to issues of consent and transparency (under Articles 5, 7, 12, 13, and 14). High profile instances of enforcement, like the Ireland Data Protection Commission’s (DPC) fine against Facebook and the German DPA’s fine of notebooksbilliger.de, focused on compliance with transparency and consent but did not address Chapter V issues relating to cross-border contracts. This focus is apparent in many other examples of enforcement in 2021. Even when Chapter V articles were mentioned, such as in the DPC’s decision on WhatsApp, authorities were more concerned with the availability of information about the transfers rather than the transfers themselves.
Overall, although there has been an increase in the number of instances of GDPR enforcement, very few have addressed cross-border contracting. The question remains: Have the trends in GDPR enforcement impacted the practical use of cross-border contracts, especially with regards to data privacy and data transfers?
D. How Cross-Border Contracting Has Changed (or Hasn’t)
Although some may see the increasing trend in enforcement actions under the GDPR in 2020 and 2021, there is little reference in these most recent (and significant) penalties to contractual processes or considerations. With Ireland as one of the most impactful enforcement agencies in 2021, many companies without a formal connection or link to Ireland will view recent penalties and associated issues as specific to Ireland and without relevance to other cross-border transactions. Any company engaging in cross-border contracting could see this lack of interest from regulatory bodies as a sign that things may carry on as they did before the GDPR came into effect.
There is no doubt that corporations have altered attitudes towards customer engagement and data processing based on the GDPR, but it appears that this scope of concern is limited to the management of consumer and user data (in the context of consent and transparency), rather than the nuances associated with cross-border contracts. Businesses seem far more focused on compliance with data protection language in user agreements and terms of use than on contractual relationships internationally.
E. Where Is Enforcement Going?
The uptick in enforcement decisions in 2021, as well as resolutions and guidance adopted by a variety of European regulatory bodies, suggests that future enforcement of the GDPR may be increasingly vigorous. Although fines have yet to approach anywhere near the four percent limit of Article 83, WhatsApp Ireland’s penalty of €225 million and Amazon’s €746 million fine likely portend more assertive action on the part of data protection authorities.
In the most significant ruling impacting cross-border contracting at this point in time, referred to as the Schrems II decision, the CJEU invalidated the EU-US Privacy Shield, which facilitated data flows between the two countries, on the grounds that U.S. regulations were insufficient to satisfy the privacy requirements under the GDPR. In its decision, the court emphasized that supervisory authorities are obligated “to suspend or prohibit a transfer of personal data to a third country” that cannot adequately comply with the standard of data protection required under EU law.
On May 20, 2021, the European Parliament adopted a resolution on Schrems II, rebuking the Irish data authority for its failure to adequately enforce the GDPR and emphasizing its concern with the lack of attention paid to cross-border data transfers. On June 18, 2021, the European Data Protection Board (EDPB) published new recommendations for data transfers following Schrems II, laying out a six-step process for assessing the need for supplementary measures for data transfers and providing guidance for evaluating transfer mechanisms, such as binding corporate rules (BCR) and contractual clauses. Two weeks earlier, the European Commission had also published new SCCs for cross-border data transfers, which must be fully adopted by both new and existing contracts as of December 27, 2022.
It remains to be seen whether the apparently renewed commitment by the EU will translate into increased enforcement actions for violations of the data transfer requirements under the GDPR, or if the adoption of the standard contractual clauses will be sufficient to satisfy further inquiry from regulatory bodies.
F. Conclusion
The GDPR is widely touted as the greatest shift in data privacy regulation of the century, and rightfully so—with protections of users’ rights in commercial use, as well as cross-border transfers, the GDPR establishes fundamental freedoms within digital spaces and codifies the rights of users across the EU.
But enforcement in the GDPR’s three-year history has only just begun to increase in prevalence, and this shift has been limited to consent and transparency. Enforcement increases in the narrowed context of Chapter V protections against improper and unjustifiable cross-border data transfers, specifically with respect to contractual relationships, remain to be seen.
Many critics view the GDPR’s enforcement thus far as lackluster, and this is most demonstrable in the cross-border data context. It appears that businesses have not yet been incentivized to effect change in cross-border contractual processes and the question remains: Will we ever see such a change?
III. H.M.B. Holdings Ltd. v. Antigua and Barbuda
On November 4, 2021, the Supreme Court of Canada (SCC) dismissed an appeal of a decision of the Ontario Court of Appeal, defining “carrying on business” in a jurisdiction and furthering the debate on so-called “ricochet judgments.”
H.M.B. Holdings Limited (HMB), a private company based in St. Louis, Missouri, and incorporated in Antigua and Barbuda (Antigua), owned the Half Moon Bay Resort in Antigua. In September 1995, Hurricane Luis destroyed the resort. HMB wanted to redevelop the land, but Antigua expropriated the property in 2007. From there arose a dispute about the compensation owed, which culminated in an appeal to the Judicial Committee of the Privy Council in the United Kingdom, the court of final appeal for Antigua.
The Privy Council issued a judgment in February 2014 and a final order in May 2014, fixing the compensation owed by Antigua at over $26 million, plus interest. In December 2015, Antigua sold the resort to a subsidiary of Replay Resorts Inc., a company incorporated in British Columbia, and paid part of its debt to HMB. In a bid to obtain the unpaid balance, in October 2016, HMB initiated a common law action in the Supreme Court of British Columbia, seeking enforcement of the Privy Council judgment, with the goal of intercepting Replay’s outstanding payments to Antigua. Antigua did not respond to the action and a default judgment was entered in April 2017, along with a garnishment order against Replay.
A year later, in May 2018, HMB applied to the Ontario Superior Court of Justice to register the British Columbia judgment pursuant to the Reciprocal Enforcement of Judgments Act (REJA), presumably to enable HMB to seize assets owned by Antigua in Ontario. According to paragraph 4(a) of the REJA, once the foreign judgment is registered under the REJA, it has the same force and effect as a judgment originally obtained from the registering court. Thus, REJA, like other reciprocal enforcement legislation, provides a streamlined path between jurisdictions that allow for mutual enforcement of judgments. For instance, British Columbia’s own REJA accepts the expedient registration of judgments from other Canadian provinces (except Québec), Austria, the United Kingdom, Germany, certain Australian jurisdictions, and the American states of Washington, Alaska, California, Colorado, Idaho, and Montana.
It should be noted that, had HMB attempted, in October 2016, to have the Privy Council judgment recognized by common law action in Ontario instead of British Columbia, it would have been statute-barred, as Ontario’s Limitation Act prescribes a general limitation period of two years. On the other hand, British Columbia’s Limitation Act sets the limitation period at ten years.
Antigua opposed the registration in Ontario of the British Columbia judgment, pleading paragraphs 3(b) and 3(g) of the REJA. Per paragraph 3(b), a judgment may not be registered if the judgment debtor neither carries on business nor resides within the jurisdiction of the original court nor voluntarily appears at the proceedings in that jurisdiction. The parties agreed that Antigua was not a resident of British Columbia and did not appear during the proceedings in that province but disagreed on whether the Citizenship by Investment Program (CIP) operated by Antigua was considered “carrying on business.” At the time of the British Columbia action, Antigua’s only activity in British Columbia was its contract with four authorized representatives of the CIP who facilitated investments in Antigua’s real estate, businesses, and National Development Fund.
For its part, paragraph 3(g) of the REJA bars registration in Ontario if the judgment debtor would have a good defense if an action were brought on the original judgment. Antigua argued that the original judgment in this case was the Privy Council judgment, and, thus, it would have a good defense had HMB brought an action on that judgment in Ontario, given the two-year limitation period.
The trial judge and the Ontario Court of Appeal both agreed with Antigua, although Justice Nordheimer, JA, dissented on both points. Regarding the test for “carrying on business,” he argued, citing the SCC case Chevron Corp v. Yaiguaje, that Canadian courts “have adopted a generous and liberal approach to the recognition and enforcement of foreign judgments,” and, therefore, the bar for proving that a party was “carrying on business” was a “very low” one. He further opined: “in this digital age, it is often unnecessary to have any physical presence in order to carry on a business.” As for the meaning of “original judgment,” Justice Nordheimer reasoned that the phrase “original court” was defined in the REJA as the court by which the judgment was given; therefore, “original judgment” referred to the British Columbia judgment, against which Antigua would have no defense if an action were brought thereon.
The SCC sided with the majority of the Court of Appeal and held that paragraph 3(b) barred HMB from registering the British Columbia judgment. The majority’s reasons centered on the interpretation of “carrying on business,” an expression that is not defined by the REJA. The SCC confirmed that the test for “carrying on business” for the traditional presence-based jurisdiction affirmed in Chevron was whether a business had “some direct or indirect presence in the jurisdiction, accompanied by a degree of business activity that is sustained for a period of time.” It found that the “generous and liberal” approach mentioned by Justice Nordheimer did not modify this test and that a “physical presence in the form of maintenance of physical premises will be compelling, and a virtual presence that falls short of an actual presence will not suffice.”
Given its interpretation of paragraph 3(b), the SCC found it unnecessary to adjudicate whether there was a “good defense” pursuant to paragraph 3(g) of the REJA, or whether the British Columbia judgment, as a recognition judgment, even falls within the definition of “judgment” under the REJA.
A. Concurring Reasons
Justice Côté agreed with the majority’s analysis and disposition of the appeal but wrote separately on the issue of so-called “ricochet judgments”—an issue that the majority of the court decided to leave open for another day. The term “ricochet judgment,” also known as “derivative judgment,” refers to a judgment that enforces a judgment of a non-reciprocating jurisdiction.
The REJA applies to “a judgment or an order of a court in any civil proceedings whereby any sum of money is payable.” A question was raised as to whether a ricochet judgment, such as the British Columbia recognition judgment, falls within this definition and can be registered in Ontario.
In answering that question, Justice Côté drew a distinction between a judgment resulting from a common law action that recognizes a foreign judgment (a “recognition judgment,” such as the British Columbia judgment in the case at bar) and a judgment that has itself been registered under reciprocal enforcement legislation. According to Justice Côté, the former falls squarely under the REJA’s definition of judgment, in its grammatical and ordinary sense, as it is a judgment that makes a sum of money payable. To read an exception for derivative judgments into such a plain language definition would be unwarranted. On the other hand, in Justice Côté’s opinion, the REJA would not permit the registration of a judgment that has itself been registered because such a judgment does not make money payable. Rather, it converts a foreign judgment into a local one.
The H.M.B. Holdings Ltd. v. Antigua and Barbuda case provides welcomed clarity on the question of what it means to be “carrying on business,” at least for the purposes of the REJA, if not for the enforcement of foreign judgments in general. It is now presumably settled that when the argued connecting factor is that of carrying on business, the analysis is the same, whether the court is assessing whether it has jurisdiction to hear an application for recognition or whether it may give effect to a foreign judgment. To be sure, this elucidation is good news for foreign businesses operating in Canada from a distance with minimal physical presence in Canada. On the other hand, the Supreme Court’s ruling does not completely resolve the matter of ricochet judgments. Indeed, if a recognition judgment is obtained against a party that does carry on business in the recognizing jurisdiction or that has attorned to the jurisdiction, will the court of the lex fori register such judgment if the original jurisdiction is not a reciprocating jurisdiction of the lex fori? Unless amendments are made to Canada’s reciprocal enforcement statutes, we will need to wait for further court decisions.
IV. Martinair/KLM—Creeping Transfer of Undertaking
The acquisition of a business can take place in two distinct ways. The buyer can purchase the shares in the corporate entity conducting the business, or the buyer can buy the assets necessary to operate the business from that corporate entity. In the first case, the relationship between the business and its employees does not change; because the legal situation between them remains the same, only the ownership of the corporate entity (on a higher level) changes.
An asset deal is different. The employees will find themselves employed by a company that has a diminished business (or none), and the buyer can pick and choose which employees it wants to rehire, and under what conditions. To remedy this, in 1977, the EU adopted the Transfer of Undertaking, Protection of Employees (TUPE) Directive (the Directive). This Directive was implemented into Dutch law as articles 7:662-666 BW (Burgerlijk Wetboek, Dutch Civil Code).
Article 3 of the Directive stipulates: “The transferor’s rights and obligations arising from a contract of employment or from an employment relationship existing on the date of a transfer shall, by reason of such transfer, be transferred to the transferee.” This rule applies to any transfer of an undertaking, business, or part of an undertaking or business to another employer after legal transfer or merger. A transfer occurs upon transfer of an economic entity which retains its identity, or an organized grouping of resources which has the objective of pursuing an economic activity, whether that activity is central or ancillary.
Further, the existence of a transfer is, according to the CJEU, dependent on whether the identity of the undertaking is preserved in the transfer. To determine whether the conditions for the transfer of an entity are met, it is necessary to consider all the facts characterizing the transaction in question, including the type of undertaking or business; whether or not its tangible assets, such as buildings and movable property, are transferred; the value of its intangible assets at the time of the transfer; whether the majority of its employees are taken over by the new employer; whether its customers are transferred; the degree of similarity between the activities carried on before and after the transfer; and the period, if any, for which those activities were suspended. But all those circumstances are merely single factors in the overall assessment made and are not considered in isolation.
In assessing the facts characterizing the transaction in question, among other things, the type of undertaking or business concerned must be considered. It follows that the degree of importance to be attached to each criterion for determining whether there has been a transfer within the meaning of the directive will necessarily vary according to the activity carried on or, indeed, the production or operating methods employed in the relevant undertaking, business, or part of a business.
Given these abstract criteria, it is not surprising that, even after almost forty-five years, there still are questions on this matter to be answered. A recent decision by the Hague Court of Appeals in the “Martinair/KLM” case is demonstrative. The facts of the case were as follows:
Martinair was originally an airline charter company. Since 1964, KLM owned fifty percent of the shares in Martinair. In 2008, KLM acquired full ownership. Since then, over a period of five years, KLM step by step dismantled Martinair (its former competitor). In 2009, parts of Martinair Cargo (MAC) and KLM Cargo were combined. MAC ground personnel were transferred to KLM Cargo (with preservation of seniority). In 2010, MAC and KLM Cargo were further commercially integrated, and a “bellies and combis first” strategy was implemented.
In 2011, Martinair’s passenger division was terminated. Martinair personnel went to KLM in a starter’s position without seniority. Also in 2011, the commercial organizations of MAC and KLM Cargo were fully integrated, and seventy-one Martinair pilots (passenger and freight divisions) were transferred to KLM in a starter’s function without seniority. In 2013, KLM appointed two KLM senior managers as the full Martinair board. In 2013 and 2014, most Martinair operational departments were transferred to KLM.
The present situation is that MAC is now “Operating Carrier,” solely concluding ACMI (Aircraft, Crew, Maintenance, Insurance) contracts. It is no longer transporting its own freight but only transport service for other airlines. All other previous Martinair activities are now performed by KLM. Martinair personnel is limited to freight pilots. All other personnel for the Martinair activities are seconded by KLM.
In addition, KLM is Martinair’s sole customer. Since January 1, 2014, KLM is committed to purchase a yearly guaranteed number of flying hours from Martinair against a fixed tariff, plus fuel costs (no surcharge) and other flight-related costs (three percent surcharge). Under the arrangement, KLM charges Martinair for commercial and support services. All Martinair freight services to third parties (Etihad, Kenya) ceased in 2014.
In 2015, 181 Martinair freight pilots (in the present proceedings, 116 were left) instituted legal proceedings against KLM, demanding a “Declaration of Right” that, as of January 1, 2014, they are (by the workings of the Directive) employees of KLM with full seniority and demanding an order to offer them appropriate work within ninety days.
As mentioned above, the CJEU had earlier decided that the nature of the assets to be transferred, tangible or intangible, to constitute a “transfer of business,” depends largely on the nature of the business concerned. The CJEU had also earlier decided that, in a situation which concerned the air transport sector (as in this Martinair/KLM case), the fact that tangible assets are transferred must be regarded as a key factor for the purpose of determining whether there is such a “transfer of a business.” Such transfer of assets does not necessarily have to be accomplished by a transfer of property.
Given this earlier decision, it is not surprising that both in the first instance and on appeal, the pilots’ claims were denied. Martinair was still operating its own freighters, flown by the Martinair pilots. Since there was no transfer of tangible assets (planes), there was no transfer of business.
But, upon appeal to the Dutch Supreme Court (Hoge Raad), the latter decision was quashed, and the case referred to the Hague Court of Appeal. That Court came to a radically different conclusion: a transfer of enterprise had occurred, and the pilots were engaged as employees of KLM as of January 1, 2014. The Court provided the following reasons:
(1) After KLM’s 100 percent acquisition, a commercial and operational integration occurred. All air-freight activities had been taken over, except the full-freighter transport. Only the freight pilots were in Martinair’s employ, and Martinair is commercially completely dependent on KLM, its only customer. The ACMI and cost, plus the contracts, resulted in KLM carrying the entire economic risk.
(2) KLM had actual control over MAC’s fleet: KLM owned three of its four planes (painted in KLM colors, the fourth was a spare plane). KLM determined how, where, and when this fleet was engaged (through its “bellies and combis first” strategy, the bellies and combis are both KLM). Therefore, a transfer of (control over) the planes as critical assets occurred.
(3) A number of Martinair destinations were taken over by KLM.
(4) There was a significant overlap between the freight transported by MAC and that transported by KLM.
The Court ordered KLM to offer each plaintiff work appropriate to their Martinair function and function level within twenty days and provide them with a written description of their work conditions. But placement on the KLM seniority list in another position than the one resulting from the January 1, 2014, start of KLM employment (i.e., by taking into account the Martinair years) was refused. The Court of Appeal reasoned that, because the pilots were entitled to their January 1, 2014, salary, placement on the KLM seniority list (which by its nature is vastly different from the Martinair one) in a corresponding position was not a financial right that follows a transfer of enterprise.
This decision shows that a transfer of business need not be a straightforward one-time sale or transfer of activities but can occur in a “creeping” fashion. Suddenly, it transpired that KLM’s workforce was enlarged by 181 (or 116) pilots. It is certainly something that must be considered very carefully in such cases.
The seniority decision was a bitter blow to the pilots, who have again appealed to the Hoge Raad. Such an appeal typically takes between eighteen and twenty-four months. So maybe The Year in Review for 2022 will have a follow-up. If not, the 2023 one will.