In June, the Attorney General (“AG”) of the Court of Justice of the European Union (“CJEU”) issued his opinion (English translation pending) in the case of Verein für Konsumenteninformation v Amazon EU Sàrl (Case C-191/15). The opinion makes potentially important observations about which law should apply to the processing of personal data under the Data Protection Directive (95/46/EC) (“Directive”).
Where an organisation conducts data processing operations in several Member States, the AG’s opinion is that Article 4(1)(a) of the Directive should be interpreted so that the law of one single Member State applies. To determine which Member State’s law should apply, the “establishment” of the controller should be analysed. The controller’s establishment should be where there is “real and effective activity” exercised “through stable arrangements” (the interpretation of ‘establishment’ provided by the CJEU in Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (C-230/14)).
The opinion is not binding on the CJEU; however, if the court were to follow it, then organisations that have structured their operations so that the law of only one Member State applies to processing activities will breathe a sigh of relief. The case law of the CJEU has recently been developing in such a way that organisations’ processing activities are potentially subject to the data protection laws of several different Member States, causing an increased compliance burden. The CJEU is now in a position to offer such organisations some administrative relief.