The Administrative Court of Hamburg recently overturned an order of the Hamburg Data Protection Authority (DPA) against Facebook.  The Court held that Irish, not German, data protection law was applicable, despite the existence of an office of Facebook in Germany.

The background

A woman complained to the Hamburg DPA after Facebook blocked her account for using a pseudonym, requested a copy of some identification and unilaterally changed her username to her real name. The Hamburg DPA found that Facebook could not unilaterally change users' chosen usernames to their real names, nor ask them for official identification, as German data protection law provides a right to a pseudonymous online profile.  

Overturning the DPA's decision, the Hamburg Court found that the business operations of Facebook Ireland and Facebook Germany constitute an "establishment" within the meaning of Article 4 (1)(a) of the Data Protection Directive 95/46/EC (the Directive).  However, it held that if several national data protection laws might apply due to the fact that the data controller is established in several Member States, then it is the law of the EU member state which the disputed data processing is most closely associated with which is to be applied.  According to the Hamburg Court, that was Facebook Ireland in this case, where Facebook has its European Headquarters. The Hamburg Court refused to apply a broad interpretation of the "establishment" test in Article 4(1)(a) of the Directive.  It distinguished the CJEU's judgment in Google Spain on the basis that the controller (Facebook) was established in an EU Member State, so that there was no risk that natural persons affected by the contested data processing operation would be deprived of the protection offered by the Directive.

A controversial issue

The question as to whether companies having a designated EU headquarters (acting as a controller) need comply with only one national law within the EU, or also with the laws of EU Member States in which they have a relevant establishment, has been a subject of much controversy in recent years. The Hamburg Court's decision is to be welcomed insofar as it interprets Article 4(1)(a) in a manner which means that multi-national companies, such as Facebook, might avoid having to comply with a multitude of conflicting national data protection laws.  However, companies should be aware that the decision contrasts with the broad interpretation of the territorial reach of Article 4(1)(a) taken by the Court of Justice of the European Union (CJEU) in Google Spain (C-131/12) and Weltimmo (C-230/14), and also by the Article 29 Working Party in its recent Update on Opinion 8/2010 on applicable law, published last December 2015.  Until the "establishment" test in Article 4(1)(a) is further clarified by the CJEU, it would be prudent for companies operating across the EU to ensure they co-operate with local DPAs in each Member State in which they have establishments.  

The CJEU's broad interpretation of the territorial reach of the Directive

Article 4(1)(a) provides for the territorial reach of the Directive.  It provides that each Member State will apply the national laws it adopts pursuant to the Directive where: "the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; [and] when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable".

In Google Spain, the CJEU found that EU law extends to data processing conducted by a foreign data controller established outside the EU, which has a relevant establishment in the EU.  The CJEU held that Article 4(1)(a) does not necessarily require the processing of personal data to be carried out "by" the relevant establishment itself, rather it is sufficient if the processing is carried out "in the context of the activities" of the establishment.  The CJEU concluded that the sales generated by Google's establishment in Spain, which promotes and sells advertising space, were "inextricably linked to" the processing carried out by US-based Google Inc.'s search engine, and that this "inextricable" link was sufficient to trigger the applicability of Spanish law.

The CJEU's decision in Weltimmo further confirmed that the notion of "establishment" in the Directive should be interpreted broadly.  The CJEU held that if a data controller exercises "a real and effective activity – even a minimal one" through "stable arrangements" in the territory of a Member State, it will be considered to have an "establishment" in that Member State.  Wetimmo was a company registered in Slovakia, but which the Hungarian DPA wished to fine for various breaches of Hungarian data protection law.  The CJEU found that Weltimmo was established in Hungary under Article 4 (1) (a) as it operated a website, written in Hungarian, which advertised Hungarian properties, it had a representative in Hungary, and used a Hungarian postal address and bank account for business purposes. The decision moves away from a one-stop-shop approach to data protection regulation, indicating that national DPAs cannot decline jurisdiction over a matter simply because a controller is registered in another Member State.  It is noteworthy however, that the CJEU did not address the question whether Slovakian law also applied, and if so, what to do about any conflict.

Article 29 Working Party Update of Opinion 8/2010

The recent decision of the Hamburg Court also conflicts with the broad interpretation of Article 4(1)(a) taken by the Article 29 Working Party in its updated Opinion on applicable law.  That Opinion suggests that companies must comply with the data protection laws in each Member State in which it is established, rather than only the law of the Member State where it is principally established. The Opinion states: "The Directive does not create a "one-stop-shop" whereby it would only be the law of the Member State of the "EU headquarters" that would apply to all processing of personal data throughout the EU…It is not at all uncommon that a company headquartered in one EU Member State and having operations in multiple EU Member States would need to comply with the laws of each of these Member States." 

The Opinion goes on to give the example of a bank headquartered in one Member State but offering retail banking services and operating a large number of branch offices throughout the EU. It notes that the bank would have to comply with each of the local laws where the branches are based.  It states "what applies in the off-line, bricks and mortar world, must also apply in the digital world.  The contrary could risk encouraging businesses that are sufficiently mobile, such as many engaged in doing business online, to engage in forum shopping".

One stop shop under the EU GDPR 

The EU General Data Protection Regulation (GDPR), which will repeal and replace the Directive, is expected to be published in the Official Journal in the coming months, and come into force in Spring 2018 (see our dedicated EU GDPR webpage).   The GDPR will create a single pan-EU data protection law, with limited scope for deviations under local laws, and will therefore do away with the current conflict of laws problem.  In line with the decision of the Hamburg Court, the GDPR also advocates a "one-stop-shop" whereby the supervisory authority for the main establishment of the controller or processor will be the lead authority for ensuring compliance by that entity throughout the EU.  However the original proposal was watered down in the face of strong opposition, with the result that where companies have multiple establishments in the EU, then supervisory authorities in other Member States where that entity is established, or where data subjects are significantly affected, or authorities to whom a complaint has been made, can be involved in cases, and the lead authority must co-operate with them. Where the lead authority and concerned authorities disagree, the European Data Protection Board (EDPB) will make a binding decision based on a two-thirds majority vote, and the supervisory authorities involved will be bound to comply with the EDPB's decision.

It remains to be seen how the one-stop-shop will work in practice, but the introduction of a lead authority to deal with regulatory compliance will be welcomed by multi-national companies operating across the EU.