Although Switzerland is not a member of the EU, Swiss companies ought to be aware that their data processing activities may be caught by current as well as future EU data protection law, including the upcoming General Data Protection Regulation with is draconian sanctions – even when their processing of data is carried out in Switzerland.
- EU Data Protection Law May Apply to Foreign Companies
Companies having their headquarter in Switzerland might think that European law cannot apply to their data processing, but they would be mistaken. European law may very well apply to companies that are not incorporated in an EU member state, and that will not change with the General Data Protection Directive – quite to the contrary.
Under current legislation, the relevant provision is Art. 4(1)(a) of Directive 95/46, which states that national law applies to the processing of personal data where "the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State". One could be forgiven to think that an establishment requires significant local presence, but the Court of Justice of the European Union (CJEU) interprets the notion of "establishment" in a broader manner: It is not the legal form that is determining, but the degree of stability of the local arrangements and the effective exercise of activities in that member state (cf. recital 19 in the preamble to Directive 95/46). Two judgments to highlight in this regard are the CJEU judgments re Google Spain of 13 May 2014 and re Weltimmo of 1 October 2015.
In Google Spain, the Court considered Google Spain SL, a subsidiary of Google Inc. with headquarters in California, to be an "establishment" in terms of Art. 4(1)(a) of the Directive, even though it is Google Inc., and not Google Spain SL, that provides search services in Spain. First, the Court was of the opinion that the processing of personal data is not required to be carried out by the relevant establishment concerned itself, but only that it be carried out "in the context of the activities" of that establishment (para 52). Second, it considered the activities of the operator of the search engine and those of its establishment situated in the Member State to be inextricably linked, since the activities (of Google Spain) relating to the advertising space constitute the means of rendering the search engine at issue economically profitable, and that engine is, at the same time, the means enabling those activities to be performed (para 56). It thus came to the conclusion that the "processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State […] when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State." (para 60). What surprises is that the local establishment, Google Spain, was not directly involved in the processing of data, but its activities are nonetheless subject to EU data law owing to the link between those activities and Google Inc.'s data processing. The takeaway here is that companies with a subsidiary in the EU must be mindful that EU data law might well apply to the subsidiary if the local activities are linked to the processing of data, even if that occurs outside of the EU.
The broad interpretation of the notion of "establishment" was confirmed in Weltimmo (cf. para 29), judgment rendered on 1 October 2015. Weltimmo, a company registered in Slovakia, runs a property dealing website concerning Hungarian properties, and processed the personal data of the advertisers (para 9). The advertisers' request to delete their data after a one month trial free of charge was not complied with. Instead, they were charged for Weltimmo's services and then pursued through a debt collection agency. The issue was whether the Hungarian data protection authority could apply its national data protection law with regard to a data controller whose company is registered in another member state. In regard to the concept of "establishment", the Court considered the presence of only one of the company's representatives in another member state, in this case Hungary, as sufficient to fulfil the meaning of an "establishment" in the sense of Art. 4(1)(a) of the Directive – provided that the representative "acts with a sufficient degree of stability through the presence of necessary equipment for provision of the specific services concerned in the Member State in question" (para 30). Moreover, the meaning of "establishment" extends to any real and effective activity – even a minimal one – exercised through stable arrangements (para 31). In the present case the representative was registered with an address in Hungary in the Slovak companies register, tried to recover the debts for its company, served as point of contact between the company and the data subjects, and the company itself opened a bank account in Hungary und uses a letter box in that State (para 33). In such a situation, the concept of an "establishment" was fulfilled according to the Court. Second, the Court examined whether the processing of personal data, in this case the operation of uploading personal data on the Weltimmo property dealing website, was also carried out "in the context of the activities" of that establishment. With regard to the Internet, the CJEU had already stated earlier that "the operation of loading data on an Internet page must be considered to be "processing" within the meaning of Art. 2(b) of Directive 95/46" (para 37). Art. 4(1)(a) of Directive 95/46 permits thus the application of the Hungarian law.
- The GDPR Broadens Extra-Territorial Application
The proposed General Data Protection Regulation (GDPR), which will apply directly without requiring implementation on a member state level, follows the same direction, but goes even further. The Regulation was adopted on 15 December 2015 and it will take effect in all EU member states in 2018, after a two year-period transition. It will replace the 28 national data protection laws based on the Directive. It will introduce, among other things, additional documentation obligations and draconian sanctions for breaches of data protection law.
Under Art. 3 of the draft regulation, in its final version, the GDPR applies "to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union" in two alternatives: (1) If the behaviour of data subjects is monitored within the EU, and (2) if goods or services are offered to data subjects in the EU. The first alternative applies where individuals are tracked on the internet, at least if the tracking data is then used for profiling and predictive analysis (cf. recital 21). The second alternative applies where the goods or services are aimed at data subjects in a member state. There are several factors that determine if that applies, for example the use of a language or a currency that is generally used in a member state. The accessibility of a website as such, on the other hand, will not be sufficient to trigger the applicability of the GDPR (cf. recital 20). Where the GDPR applies to a Swiss company, that company will be required to designate a local representative, unless an exemption applies.
- Caution is Advised
Swiss companies should therefore monitor the development in data protection law in the EU. The key takeaway here is that the fact that Switzerland is not a member state of the EU does not prevent the application of the EU data protection law.