CJEU gives wide meaning to what constitutes an “establishment” for the purposes of data protection law enforcement.
What’s the issue?
The Data Protection Directive (Directive) states that applicable national data protection law is the law applicable to the processing of personal data “where the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State”. The meaning of what constitutes an “establishment” was considered in the Google Spain judgment which held that the term should be broadly interpreted.
What’s the development?
The CJEU has ruled on a reference from Hungary which examined the scope of applicable data protection law and looked at what constitutes an “establishment” for the purposes of allowing regulators to enforce in their own Member States. In this instance, a Slovakian registered company Weltimmo, was found to have an establishment in Hungary despite not having an office there and was held to be conducting data processing in the context of the activities of that establishment. The CJEU held that this meant Hungarian data protection law applied and that the Hungarian regulator could impose fines itself rather than having to refer the matter to the Slovakian regulator.
The CJEU followed the judgment in Google Spain in giving a very broad interpretation to the scope of the Directive and to what constitutes an “establishment”. Factors which were taken into consideration included that: there were no company activities in Slovakia; the Weltimmo websites were in Hungarian and dealt with Hungarian properties; Weltimmo had a bank account and mailbox for company purposes in Hungary and, crucially, it had a representative resident in Hungary who served as a point of contact for the company.
What does this mean for you?
This ruling confirms the Google Spain judgment; the bar for claiming that you are not subject to local Member State data protection law is very high if you do business there. With the GDPRattempting to set up a ‘one stop shop’ for data protection law, we may see the influence of this judgment dissipated once the new law comes in but for now, this is another important issue to consider when processing personal data in the EU.
The CJEU reference related to a case involving a property website Weltimmo. Weltimmo is registered in Slovakia (although it has previously been registered in Hungary). It runs a property dealing website which deals with Hungarian properties and is in Hungarian. As part of the website, Weltimmo offered advertisers free adverts for a one month period after which a fee was charged. Many advertisers sought to withdraw their adverts and have their personal data deleted on expiry of the one month free period but Weltimmo did not act on the emails and then used the personal data to invoice the advertisers and for debt collection purposes when those invoices were not paid. Some of the advertisers complained to the Hungarian data protection authority (HDPA) which issued a fine of approximately 32,000 Euros. Weltimmo then brought an action in the Hungarian courts arguing that it was subject to Slovakian rather than Hungarian data protection law. The HDPA argued that Weltimmo had a Hungarian representative in Hungary as one of its owners lived there and was representing the company in the legal proceedings and had been dealing with the debt collection. The Hungarian court decided to stay proceedings and refer a number of questions to the CJEU on the issue of applicable law.
The CJEU makes a number of preliminary observations before considering the questions referred. These relate mainly to the business model of Weltimmo and include the facts that: it did not carry out any activities in Slovakia; it had moved its registered office back and forth between Hungary and Slovakia; it had two websites written exclusively in Hungarian; it had a bank account in Hungary which it used for debt recovery and a letter box there; and it had only two people in the company, one of whom was based in Hungary and had been negotiating attempted debt recovery.
The CJEU also observes that the real issue is what is meant by the concept of “establishment”. Of the eight questions referred, the CJEU interpreted the first six as asking:
“in essence, whether Articles 4(1)(a) and 28(1) of Directive 95/46 must be interpreted as permitting, in circumstances such as those at issue in the main proceedings, the data protection authority of a Member State to apply its national law on data protection with regard to a data controller whose company is registered in another Member State and who runs a property dealing website concerning properties situated in the territory of the first of those two States. In particular, the referring court asks whether it is significant that that Member State is the Member State:
- at which the activity of the controller of the personal data is directed;
- where the properties concerned are situated;
- from which the data of the owners of those properties are forwarded;
- of which those owners are nationals; and
- in which the owners of that company live.”
The CJEU observes that under Article 28(6) of the Directive, a supervisory authority can exercise the powers conferred on it whatever the national law applicable to the data processing in question. Applicable national law must be determined in accordance with Article 4 of the Directive which states that it is the law applicable to the processing of personal data “where the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State”. Following Google Spain, the CJEU says this cannot be interpreted restrictively and that the Directive must be given broad territorial scope.
The CJEU points to recital 19 to the Directive which states that “establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements and that the legal form of such an establishment, whether simply a branch or a subsidiary with a legal personality is not the determining factor”. Recital 19 also requires that a single controller established in more than one Member State must ensure that each establishment complies with the applicable Member State law. The CJEU says that the presence of only one representative can, in certain circumstances, be sufficient to constitute a stable arrangement and that, crucially, “the concept of establishment within the meaning of the Directive, extends to any real and effective activity – even a minimal one – exercised through stable arrangements”.
In this case, the fact that Weltimmo runs one or more property dealing websites concerned with Hungarian properties, written in Hungarian and whose adverts are subject to a fee after a one month period “must be held that the company pursues a real and effective activity in Hungary”. The CJEU also cites the fact that Weltimmo had a representative in Hungary with a Hungarian address who served as a point of contact for these issues, a Hungarian bank account and letter box as being sufficient to verify the existence of an “establishment” for the purposes of Article 4(1) of the Directive. The CJEU then has to consider whether the processing of the personal data at issue was carried out in the context of the activities of the establishment (in accordance with Google Spain) which it easily concludes it does (simply loading information onto a web page is sufficient as established by Lindquist and Google Spain). What should not be taken into consideration, however, is the fact that the owners of the properties to which the adverts relate are Hungarian nationals.
The CJEU therefore concludes that Article 4(1)(a) of the Directive must be interpreted as meaning that the law of a Member State other than the one in which the controller is registered may apply where the controller exercises, through stable arrangements in the territory of that Member State, a real and effective activity – even a minimal one – in the context of which that processing is carried out.
When assessing this, the court may, in particular take into account the fact that the activity involves properties located in that Member State marketed through websites written in that Member State’s language and, as a consequence, mainly or entirely directed at that Member State; and that the controller has a representative in that Member State responsible for debt collection and representing the controller in proceedings (the conclusion revolved more around the particular facts but these are the elements to take by extension). The nationality of the persons affected by the data processing is not relevant.
The seventh question asked whether, if the Hungarian regulator concludes that the applicable law is not Hungarian but that of another Member State, it would be limited to exercising powers under Article 28(3) (investigation, intervention, legal proceedings) in accordance with the law of that other Member State and would not be able to impose penalties.
The CJEU finds that, while Article 28(3) may confer the power to issue fines, Article 28(6) which deals with territorial application of the powers of supervisory authorities, would impact on this power to apply it to a data controller not established in its own Member State. It concludes that while a supervisory authority may investigate any complaint it receives, no matter which Member State law applies and even before it knows which Member State law applies, if it concludes that applicable law of another Member State does apply, it will only be able to exercise powers of intervention (including imposing penalties) within its own territory where the controller is established there. It cannot impose penalties on the basis of its own law on a controller who is not established within its territory and must then request that the regulator of the other Member State whose law is applicable, take over.
A further question related to interpretation of a definition in Hungarian data protection law.