The Court of Justice of the European Union (“CJEU”) has ruled in the case of Weltimmo s.r.o v Nemzeti Adatvédelmi és Információszabadság Hatóság, case C-230/14, that the data protection legislation of a Member State may apply to a data controller registered in another Member State if, through stable arrangements in the territory of that Member State, the data controller exercises a real and effective activity, however minimal, in the context of processing personal data.
Weltimmo, a company registered in Slovakia, operates a website advertising the sale of properties in Hungary and, for that purpose, processes the personal data of the advertisers. The advertisements are free of charge for one month but thereafter a fee is payable. Several advertisers requested the deletion of their advertisements and personal data at the end of the first month. However, Weltimmo did not do this and charged the advertisers. When the fees weren’t paid, Weltimmo forwarded the advertisers’ personal data to debt collection agencies.
The advertisers complained to the Hungarian data protection authority, which imposed a fine of approximately €32,000 on Weltimmo for a breach of Hungary’s data protection legislation. Weltimmo challenged the fine before the Hungarian courts.
The case was subsequently referred to the CJEU by the Supreme Court of Hungary, which asked the CJEU to determine whether EU Directive 95/46/EC (“Data Protection Directive”) gave the Hungarian data protection authority jurisdiction to impose a penalty on Weltimmo, a data controller registered in another Member State, for infringement of Hungary’s data protection legislation.
The CJEU’s decision
Meaning of “establishment”
The CJEU considered the meaning of “establishment” in the context of Article 4(1)(a) of the Data Protection Directive, which provides that a Member State shall apply its national data protection legislation where personal data is processed “in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable”.
The CJEU ruled that the concept of “establishment” extends to any “real and effective activity” exercised with a “sufficient degree of stability” in the Member State in question. It noted that even a single representative could qualify as an establishment.
The CJEU also provided practical guidance on what can constitute an “establishment” for the purposes of the Data Protection Directive. This may prove particularly helpful to internet businesses whose territorial boundaries for legal purposes are particularly difficult to determine. The CJEU pointed to the fact that Weltimmo’s website is written in Hungarian and the company’s Hungarian representative had been responsible for both the negotiation of the settlement of the unpaid debts with the advertisers and representing the company in legal proceedings in Hungary regarding its data processing. The CJEU also noted that the company had opened a bank account in Hungary and used a letter box in Hungary for the management of its everyday business affairs. Subject to these facts being proven in the national court, the CJEU ruled that they indicated Weltimmo is established in Hungary within the meaning of the Data Protection Directive and as such its activity is subject to Hungary’s data protection legislation.
In addition, the CJEU held that the nationality of data subjects is “irrelevant” in determining whether a particular Member State’s data protection legislation is applicable to a data controller.
Powers of data protection authorities
The CJEU also commented on the power of a data protection authority to impose a penalty pursuant to Article 28 of the Data Protection Directive on a data controller which processes the personal data of individuals located in its territory but isn’t established in that Member State within the meaning of the Data Protection Directive. In this case, the CJEU held that the data protection authority may investigate a complaint about that data controller but cannot impose a penalty on it. The data protection authority should request that its counterpart in the applicable Member State imposes the appropriate penalty prescribed by that State’s data protection legislation.
The CJEU’s ruling emphasises the difficulties faced by multinational organisations in determining which data protection legislation they are required to comply with when operating across Europe and by data protection authorities in determining the remit of their powers. What is clear, however, is that we are far from the ‘one stop shop’ position which has been envisaged by the General Data Protection Regulation (“Regulation”). When it comes into force, the Regulation will have direct effect across all Member States, meaning that it will apply throughout the EU without the need for further implementation by Member States into national laws. Until then, multinational organisations and particularly those whose business is online, must remain alert to the fact that their activities may constitute an establishment in multiple Member States, meaning that they must cooperate with multiple data protection authorities to ensure compliance with each State’s data protection legislation.