In the whirlwind of attention which followed the invalidation of Safe Harbor, observers might be forgiven for missing another recent – and important – data protection judgment. The judgment of the Court of Justice of the European Union (“CJEU”) in Weltimmo (case C‑230/14) was handed down shortly before the Schrems ‘Safe Harbor’ ruling.

Weltimmo deals with two issues:

  1. the rules determining which national data protection law applies to an organisation that is operating in multiple EU Member States; and
  2. the powers of national data protection authorities (“DPAs”) in such cases.

How did the case arise?

This decision concerned a property advertisement website run by Weltimmo. Weltimmo was a Slovakian company, but the website dealt with property situated in Hungary and was written in Hungarian. Weltimmo had been fined by the Hungarian DPA for breaches of local law and Weltimmo challenged the fine in the Hungarian courts.

The Hungarian courts referred questions to the CJEU, asking whether:

  1. Hungarian law properly applied to Weltimmo; and
  2. the Hungarian DPA had validly exercised its powers.

Which data protection law?

While the Data Protection Directive is a piece of EU law, each Member State implements the Directive in its own national law, resulting in some differences from state to state. Therefore, for organisations operating across borders, the challenge can be determining what national law applies to that organisation’s activities.

The Data Protection Directive sets out a test to determine what law applies in such cross-border scenarios. A key aspect of the relevant test is to determine whether the organisation is deemed to have an “establishment” in the country in question and in the context of which personal data is processed. In this case, the CJEU considered that Weltimmo was likely to have a relevant establishment in Hungary, on the basis that its data processing was in the context of “a real and effective activity” pursued in Hungary.

Therefore, the CJEU found that Hungarian data protection law would likely apply to Weltimmo, subject to the Hungarian court determining certain factual issues. Some of the relevant factors the Court identified were:

  • the website dealt with properties in Hungary and was written in Hungarian, meaning its operations were “mainly and entirely directed” at Hungary;
  • Weltimmo had a representative in Hungary, who was responsible for collecting debts and for representing the data controller in administrative and judicial proceedings relating to the data processing;
  • Weltimmo had a Hungarian bank account and post box; and
  • Weltimmo did not carry out any activity in Slovakia.

What are the regulator’s powers?

The CJEU also looked at the powers of the national DPA in circumstances where a foreign data protection law applied to a company doing business within its territory. In other words, what could the Hungarian DPA do if Slovakian law applied?

The CJEU stated that a DPA could generally investigate complaints received from data subjects, regardless of the law governing the relevant organisation.

The CJEU also noted that where the organisation’s processing of data is governed by the law of one state, e.g. Slovakia, but is investigated by a regulator in another, e.g. Hungary, that regulator has no power to impose penalties outside its territory, i.e. outside Hungary.

In addition, a national DPA cannot impose penalties based on the data protection law of another state, nor may it establish infringements of foreign law.

What are the implications of the decision?

In some respects, this judgment follows in the footsteps of the Google Spain decision in lowering the threshold for a business to be considered “established” in a Member State for data protection purposes.

However, the judgment also provides some helpful guidance as to how DPAs ought to exercise their often overlapping jurisdiction. The judgment makes clear that while DPAs are entitled to investigate complaints that they receive, they do not have jurisdiction to impose extraterritorial penalties or take action against a company which is subject to a foreign data protection law.