In all of the excitement surrounding the Schrems decision and its impact on Safe Harbor, it would be easy to miss the significance of the other decision of the Court of Justice of the European Union (CJEU) in Weltimmo, issued just days before the judgment in Schrems. Yet, the Weltimmo judgment, in its own way, has the potential to significantly impact the way in which global organisations should be thinking about their data protection strategy in Europe. In Weltimmo, the CJEU came to a number of conclusions relating to the applicability of EU data protection law. The judgment allows individuals to complain about data protection law breaches to the local DPA, even if the organisations they are complaining about are established in another EU Member State. Under the EU Data Protection Directive, if a business is "established" in an EU Member State and is collecting data in that state, it will fall within the scope of the data protection law of that Member State, meaning different states will have different laws and effect businesses differently. From this, businesses have interpreted this to mean that, if they are headquartered in a particular EU Member State, they only have to comply with the data protection laws from that state. Many US multinationals have taken the approach of incorporating an entity in particular Member State and nominating this entity as the data controller for the purposes of EU data protection law. There is a 3-pronged test to see whether businesses are complying with the Data Protection Laws of the particular EU state.
- Is there an exercise of real and effective activity – even a minimal one?
- Is the activity through stable arrangements?
- Is personal data processed in the context of the activity?
In determining whether the above test is met, the CJEU provides guidance on a number of factors. For example, the context must be considered, i.e. the nature of the economic activities/service provided by a business. For an internet business, the fact that the website is written in the language of a Member State (and, as a consequence, mainly or directly or targeted at that Member State) is a significant factor. When looking at the different factors, the nationality of the owners of the business should not be taken into account as this is not relevant.
As a result of Weltimmo, businesses should also look at other key EU Member State markets, and consider the likely implications of being subject to the data protection laws of those Member States.