Which European Member State’s data protection laws apply when personal data is processed? What should happen if a data protection authority receives complaints about an organisation who turns out to be governed by a different Member State’s laws? Is the authority just as empowered to impose sanctions as it would be in a purely domestic case? In the recent case of Weltimmo (C-230/14, 1st October 2015) the Court of Justice of the EU (“CJEU”) passed judgment on all of these issues, clarifying Articles 4 and 28 of the European Data Protection Directive (96/46/EC) (the “Directive”).
The case concerned whether a national data protection authority could apply its national law when the data controller company is registered or incorporated in a different Member State.
Weltimmo, a Slovakian registered company runs a property dealing website that advertises and sells properties located in Hungary. Users can upload details of properties for sale, with advert displays on the site being free for one month, and fees payable after that.
Many advertisers sent a request by e-mail for their advertisements and personal data to both be deleted when the initial month had expired. Weltimmo, however, did not delete the personal data and charged the advertisers for the price of its services. Given that the amounts charged were not paid by the advertisers, Weltimmo forwarded their personal data to debt collection agencies. The advertisers in turn lodged data protection complaints against Weltimmo with the Hungarian data protection authority, who imposed a fine.
The key point leading to the referral to the CJEU was Weltimmo’s claim in defence that the Hungarian authority was not competent to fine a company which was registered or incorporated in a different Member State.
What amounts to an “establishment”?
Under Article 4 of the Directive, the test of whether a particular Member State’s national laws apply is whether the data controller’s processing of data is “carried out in the context of the activities of an establishment of the controller on the territory of the Member State”.
In Weltimmo, the CJEU found that the definition of “establishment” is broad and flexible and, importantly, is not dependent on where a data controller is registered or incorporated. When a data controller has “stable arrangements” in a Member State and exercises a “real and effective” activity there, however minimal, the law of that Member State is likely to apply.
In reaching the conclusion that Weltimmo had a “real and effective activity” within Hungary, the Court’s observations included that:
- the properties displayed by the website were all located in Hungary; and
- the website was written in Hungarian (therefore mainly directed at Hungary).
Next, the Court considered whether the website was a “stable arrangement” within Hungary. Again it concluded that it was, noting that Weltimmo:
- has a bank account in Hungary, intended for payment of customer debts;
- uses a letterbox there to manage its affairs; and
- has a representative based in Hungary, listed in the Slovak companies register as being at a Hungarian address.
- this representative, it was noted:
- sought to negotiate with website advertisers regarding unpaid debts;
- served as a point of contact at the company for the individuals who launched the complaint; and
- represented the company in the various legal proceedings.
The Court therefore concluded that Weltimmo was indeed “established” in Hungary for the purpose of Article 4 of the Directive, and was accordingly subject to Hungarian data protection law.
What powers does a data protection authority have when a data controller is governed by another Member State’s data protection laws?
The CJEU found that when a national data protection authority receives a complaint that authority may exercise its investigative powers irrespective of the national data protection law that applies. However, if it reaches the conclusion that the law of another Member State is applicable, it may only exercise its intervention powers within its own territory. It cannot impose penalties if a data controller is not “established” in its own Member State.
Following this judgment, multinational businesses with operations in more than one Member State may be subject to compliance with multiple data protection laws, each having specific differences and particularities. The risk now exists that EU-based companies that offer products or services online in several jurisdictions within the EU (with a contact address and a representative in those particular Member States) will be expected to comply with the data protection laws of potentially up to 28 countries. The ruling is incredibly far-reaching and may make data protection compliance for some businesses offering services and products operating across multiple Member States quite burdensome.
The decision also brings a new perspective on the competence of data protection authorities. Although Member States’ data protection authorities are required to monitor data protection compliance independently based on applicable law, they may not be able to directly sanction non-compliance where the respective establishment is based in another Member State. In this situation, the authority can only investigate the facts and inform the relevant authority where the controller is established of its findings. The latter authority may then impose relevant sanctions if it chooses to do so.
The court’s broad interpretation of “establishment” risks eliminating the long-standing “country of origin” principle whereby a company incorporated or registered in only one Member State has to observe the data protection law of only that Member State (even when it processes personal data about individuals resident elsewhere in other Member States). The impact of this judgement may be superseded by the new EU Data Protection regulation which is on the horizon and which attempts to set up a “one stop shop” for data protection law. However, for now, the judgement creates another significant issue to consider when processing personal data in the EU.
Up until now, many business have adopted the (clearly now more risky) strategy of incorporating an entity in one particular Member State and nominating that entity as the data controller for the purposes of EU data protection law. As such, it was previously considered that the organisation must comply with the data protection laws of only that Member State. This is no longer the correct approach if you as a data controller are “established” elsewhere. Obviously, a number of businesses have always sought to comply with the higher bar in this area.
The broader interpretation of what constitutes an establishment could trigger the full range of compliance requirements that apply across Member States, including making filings with the authority and complying with each Member State’s variants in interpretation. It also means that claims and complaints can be made to the local data protection authority by the individuals affected.
For those companies who are not already operating in this way, they may need to revisit their EU data protection strategy if they offer their services via the internet in various jurisdictions and should carefully consider where to locate their staff and other facilities if they do not want to be deemed subject to data protection compliance in multiple Member States.