The central European countries of Slovakia and Hungary are divided by a common 420-mile-long border. But that dividing line, and other European national borders, may now be a little more blurred due to a key ruling by the Court of Justice of the European Union (CJEU). The ruling, perhaps somewhat overlooked due to all of the clamor and questions surrounding the subsequent EU decision on the Safe Harbor Framework, expands the reach of national data protection regulators to companies registered in other EU member states.
The CJEU considered the issue of under what circumstances a company could be considered to have an “establishment” in a member state. Under the EU’s Data Protection Directive, a member state’s data protection laws are applicable to the processing of personal data where a data controller establishes activities in the territory of a member state. In a ruling issued on October 1, the CJEU held that regulators can take action against companies that are not registered in the regulator’s state when the company has some type of presence in the regulator’s state, even if that presence is minimal or where residents of the state are targeted by the company.
The decision arose from the Hungarian data protection authority taking action against a company called Weltimmo. Weltimmo operates a real estate website and is registered in Slovakia. However, the site would run ads for owners of properties in Hungary and process the owner’s personal data. Hungarians complained to their data protection regulator when requests to remove ads and personal data were ignored. Ultimately, Weltimmo was fined approximately 32,000 euros by the Hungarian regulator.
Weltimmo contested the fine, claiming it should be subject to Slovakian rather than Hungarian data protection laws. In holding that the Hungarian regulator could take action against a Slovakian-registered company, the CJEU considered the activities of the data controller (Weltimmo) in Hungary and noted that minimal activities, including the presence of even one company representative in a member state, could be sufficient. Among the factors considered by the court were:The Weltimmo website dealt with Hungarian properties; The website was written in Hungarian; Weltimmo had a representative in Hungary with a Hungarian address and a Hungarian bank account; and Weltimmo used a letter box in Hungary for the management of its business affairs.
The bottom line for businesses processing personal data in the EU is that simply registering in a particular EU country may not be enough to avoid regulators and the data protection laws in other EU member states. Rather, the Weltimmo ruling expands the definition of when a company is considered to have established activities in the territory of a member state. These activities can be as minimal as having a single representative in the other country and/or targeting services to residents of a particular state.
The Weltimmo decision must also be considered in light of the long-anticipated General Data Protection Regulation “GDPR” . The GDPR is intended to establish a “one-stop shop” for businesses processing personal data in the EU, so they are not subject to multiple national regulators. While it remains to be seen when the GDPR will be finalized and take effect, businesses should remain mindful of the Weltimmo decision until the GDPR is in place.