The Court of Justice of the European Union (CJEU) has been very busy in recent weeks re-shaping EU privacy laws. In addition to the much-anticipated decision in “Schrems” (Case C-362/14), which essentially rules the US-EU Safe Harbor invalid, the CJEU has also considered the key issue of “establishment” in another landmark case, namely “Weltimmo” (Case C-230/14).

In particular, it has ruled that businesses with only very minimal operations in an EU Member State can nevertheless be subject to the data protection laws of that Member State, where they process personal data in the context of activities directed towards that Member State. This effectively widens the scope of “establishment” and creates additional headaches for those with European operations.

The action point for companies with a European footprint is therefore to review their European processing activities, re-think where they might be established and look to comply with local laws in those jurisdictions. Status quo is not an option for those who wish to avoid enforcement action in “foreign” jurisdictions they previously thought they could ignore.

Background

The Weltimmo case was referred to the CJEU by the Kúria, Hungary’s Supreme Court, and the facts of the case can be summarized as follows.

Weltimmo operated a property advertising service in Hungary, but was headquartered in Slovakia. It allowed people to advertise a property free of charge for one month, but then would subsequently charge a fee. When Weltimmo failed to delete adverts and personal data at its customers’ request upon the expiry of the free offer period, and passed such data on to debt collection agencies seeking payment for an on-going subscription, it was fined by the Hungarian Data Protection Authority (DPA). The DPA considered it had jurisdiction to impose a fine on the Slovakian company for breaches of Hungarian data protection laws because Weltimmo was “established” in Hungary.

Weltimmo had one representative on the ground in Hungary, a Hungarian bank account and a post office box in the country, and so it appealed the DPA’s decision to the Hungarian court on the basis this was not sufficient to amount to an establishment, nor confer jurisdiction on the Hungarian DPA. Although the DPA’s decision was annulled for lack of clarity over some of the facts, the first instance court did not accept Weltimmo’s defence.

The dispute was then escalated up to the Kúria, at which point Weltimmo continued to argue that the Hungarian DPA had no jurisdiction to apply Hungarian law to it, as (i) it was registered in Slovakia, and (ii) the DPA had failed in its view to follow the procedure set out in the Data Protection Directive (95/46/EC) dealing with “supervisory authorities”, namely that the Hungarian DPA should have shared its findings with the Slovakian DPA and requested the Slovakian DPA to exercise its authority.

The Kúria was unclear as to the correct interpretation and decided to make a reference to the CJEU.

The CJEU’s Ruling

The CJEU’s judgment concerned the interpretation of the words “in the context of the activities of an establishment” as they are used in the Directive and, significantly, ruled that this extends to “any real and effective activity – even a minimal one – exercised through stable arrangements”.

Given the nature of Weltimmo’s operations, the CJEU considered that Weltimmo did have an establishment in Hungary and was, therefore, subject to Hungary’s data protection regime.

Comment

This ruling has changed the landscape of data protection for companies operating in more than one EU Member State, eroding the idea of a “one-stop-shop” in terms of one supervising DPA and making many companies subject to multiple DPAs in Europe.

Previously, companies could arguably “forum shop” from a data protection perspective, choosing to headquarter in a Member State perceived to be more business friendly, such as the UK or Ireland for example, whilst seeking to avoid the long arms of some of the traditionally more conservative (and often aggressive) DPAs.

However, following this ruling, if a company operates a website in the native language of a particular Member State, or has representatives in that Member State (amongst other things), then this could well be enough to constitute an “establishment” such that the company would be accountable under that Member State’s laws and be subject to enforcement action in that Member State, regardless of where it is headquartered.

Whilst this ruling means Weltimmo is likely to be liable for a fairly hefty fine levied by the Hungarian DPA, the ramifications of this judgment are much further reaching and are likely to significantly increase compliance costs for companies with pan-European operations.