The Court of Justice of the European Union (“CJEU”) recently handed down several landmark rulings affecting the activities of online service providers. Before declaring the Safe Harbor decision invalid, on 1 October 2015 the CJEU released an important, but lesser-known decision (see Case C-230/14), ruling in favor of the Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”) concerning the interpretation of the applicable law provisions of the EU Data Protection Directive 95/46/EC (“EU Directive”). The CJEU's findings on the applicability of national data protection laws potentially significantly affect the activities of online operators providing services across multiple EU member states.
The underlying facts
Weltimmo SRO, a company registered in Slovakia and owned by a Hungarian national, ran property selling websites, “ingatlandepo.com” and “ingatlanbazar.com”, concerning Hungarian real estate. The website’s servers were located in Germany and in Austria and permitted the listing of real estates by individual advertisers free of charge. However, following an initial one month trial period, Weltimmo automatically charged hidden fees and late payment penalties to its advertisers. Several advertisers contacted the company, asking for the removal of their real property listing; however, Weltimmo refused to grant such delisting requests until full payment of outstanding fees and penalties had been made. Weltimmo also transferred the data of advertisers to debt collection agencies, without notifying the data subject in advance of doing so.
Numerous complaints were filed with NAIH about the websites and NAIH started administrative proceedings against Weltimmo. As a result, NAIH imposed the maximum data protection fine of 10 million HUF (approx. EUR 33,000.-) on the Slovakian company. Weltimmo challenged the administrative decision of NAIH before the administrative court and claimed - on the basis of Articles 4(1)(a) and 28 of the EU Directive - that NAIH had no competence to pursue this case, because Weltimmo was not established within Hungary and Slovakian data protection law applied to its activity.
Following a lengthy local procedural tug of war in the Hungarian courts, the case was then referred to the Hungarian Kúria, the supreme court of Hungary, which lodged a request for a preliminary ruling to the CJEU in order to clarify the questions of jurisdiction and applicable law.
The relevant concepts in the Data Protection Directive
Within the European Economic Area, the applicable data protection law is determined by the place of establishment of the controller. The application of multiple Member States' laws may be triggered if the same controller has establishments in several Member States. In such case, the nature and degree of involvement in the processing activities of such establishments will be decisive in identifying the applicable national law.
Under the Directive, the territorial jurisdiction of national supervisory authorities is limited to the territory of their own Member State, irrespective of the applicable law.
The CJEU decision
In this context, the key questions were whether the applicable law was Hungarian law and whether NAIH was competent to act against a business operator that was not incorporated in Hungary and had no local branch or office, but did have a managing director resident in Hungary who was enforcing Weltimmo’s claims relating to unsettled debts within Hungary.
In its decision, the CJEU articulated that the term “establishment” is a flexible concept which implies the effective and real exercise of activity through stable arrangements; the legal form of the establishment (whether a branch or an office) is not the determining factor. Although the activity of Weltimmo was only minimal, the CJEU found that the Slovakian company pursued real and effective activity in Hungary through stable arrangements. In this context, the CJEU took into consideration several factors, including (i) the permanent local presence of the representative in Hungary, (ii) invoicing and settlement of debts with advertisers; (iii) the use of a Hungarian mailbox and bank account for business purposes; (iv) the representation of the company in various court and administrative proceedings through a local representative; (v) the involvement of Hungarian real estate in the service provided, and (vi) a website in Hungarian language targeted at Hungary. Although the Court emphasized that the Hungarian nationality of data subjects is of no relevance, it held that all the aforementioned factors submitted Weltimmo to the Hungarian data protection laws because the data processing activities - namely loading advertiser’s data to the real property dealing website - occurred in the context of activities pursued in Hungary. Accordingly, the CJEU concluded that, subject to the existence of an establishment in Hungary, which is to be verified by the Kúria, Hungarian data protection law is applicable.
On the question of jurisdiction, the CJEU distinguished between investigative and sanctioning powers. It held that NAIH had the power to investigate the complaint irrespective of the applicable law. However, NAIH only has powers to impose penalties if the applicable law is Hungarian law. To the extent, the applicable law is that of a Member State other than Hungary, NAIH would need to request the other Member State’s supervisory authority to interfere and impose sanctions.
With the aim of ensuring effective and complete protection of individuals the CJEU adopted a very broad interpretation of the EU Directive's applicable provisions, thereby potentially submitting online business operators to multiple Member State’s data protection laws without being registered or having formal undertakings in those Member States. The decision in the Weltimmo case undoubtedly encourages national DPAs to handle directly their data subjects' complaints about foreign data controllers, without using the tools of cooperation between the DPAs, if the national DPA believes that its national laws were circumvented. In its communication on the Weltimmo decision, NAIH indicated that it was very pleased with the outcome of the case and articulated that the CJEU decision reaffirms NAIH’s position that online service providers must comply with each country's data protection laws if their service is directed at individuals in several Member States.
The scope of the practical consequences of the CJEU decision for online business operators providing cross-border services in Europe is still unclear. Numerous online operators have set up a formal establishment in only a single Member State, on the basis that this obliges them to comply with the applicable law of a single country. That strategy is now challenged. Following the Weltimmo decision, if an online business operator provides services in several languages, has local representatives in different countries and pursues the enforcement of claims in other Member States, such operator might now be compelled to comply with those Member State’s data protection laws - including notification, registration and record keeping requirements - and can also expect audits and sanctions from competent national DPAs. This would, of course, result in higher overall compliance cost relating to data protection.
The solution to the issues of "overregulation" which some say the CJEU's Weltimmo decision has created might be the adoption of the general data protection regulation, scheduled for late 2017, which will establish uniform data protection rules within the European Union. Under the regulation's (very controversial) one-stop-shop mechanism, only one lead supervisory authority might have competence over a controller even if data processing activities are pursued in several Member States. In the meantime, further disputes and an increase in the number of national enforcement actions against foreign online business operators can be expected.