Determining which entity qualifies as the data controller under the establishment test of article 4(1)a of the Data Protection Directive (95/46/EC) has become a real challenge over the last few years. A number of ground breaking decisions, such as the Google Spain or Weltimmo case, have seriously reduced the margin of manoeuvre for multinationals willing to designate a single data controller for all their EU data processing activities.
The ground breaking Google Spain decision had introduced the notion of 'inextricable link' to conclude that the Spanish Google entity was a relevant 'establishment', as a result of which Spanish data protection law applied. The Weltimmo had further broadened the interpretation of 'establishment' by setting a very low threshold for determining whether a data controller is 'established' in a particular Member State.
A new episode in this discussion is currently unfolding before the Court of Justice of the European Union ("CJEU"). Last week, the Advocate General issued his opinion in the Verein für Konsumenteninformation v. Amazon EU Sàrl (Case C-191/15 –the "Amazon case").
In addition to a number of contract and consumer protection issues, from a data protection perspective, the key question in the Amazon case is whether Amazon EU, a company established under Luxembourgish law is the relevant establishment to trigger the applicability of Luxembourgish data protection law in relation to online sales to consumers based in Austria.
The Advocate General's opinion is interesting for two reasons.
First, the Advocate General opines that the broad interpretation of the Google Spain case should not be applied in the case at hand because of a fundamental difference: in the Google Spain case, without the broad interpretation of the notion of 'establishment', there was a risk that Google's processing activities would not have been subject to EU data protection law at all. According to the Advocate General, this is why the CJEU had interpreted the establishment test so broadly. In the Amazon case however, if Austrian data protection law does not apply as a result of the absence of an Austrian establishment, it is certain that the data protection laws of another Member State will apply (whether those of Luxembourg or Germany). As a result, the personal data being processed will be protected by EU data protection law in any event.
The argument that a distinction should be made between both scenarios is surprizing, and the CJEU had definitely not done so in the Weltimmo case. In that case, the CJEU had simply applied the Google Spain principles to declare one EU Member State's data protection applicable instead of that of another EU Member State.
Secondly, on the basis of his point of view that the establishment test is to be interpreted less broadly in the Amazon case, the Advocate General then seems to have applied a higher threshold than that of the CJEU in the Weltimmo case. Indeed, according to the Advocate General, the fact that Amazon Luxembourg may provide an aftersales customer service in Austria, which could qualify as an 'establishment' does not necessarily imply that their activities are inextricably linked with Amazon's data processing activities, such as credit risk controls.
The Advocate General's Opinion may be good news for the many multinationals that have opted to appoint a single data controller for their EU activities for efficiency purposes.
Nonetheless, his point of view of rather surprizing in the light of the recent CJEU case law and the current developments in the Belgian Facebook case as he seems to interpret the establishment test not as broad as the other decisions. It therefore remains to be seen whether the ECJ will follow the Advocate General's opinion.
In any event, and regardless of whether the CJEU follows the Advocate General's Opinion, it is clear that the factual circumstances are and remain of paramount importance in the applicable law discussion. If multinationals want to appoint a single data controller for all their EU activities, they must not only ensure that the appointed data controller has devolved decision-making autonomy. Bearing both the Weltimmo and the recent Advocate General's Opinion in mind, it is also crucial to look to their other EU Member State markets, even those where they have a minimal presence, to avoid that these be considered a relevant 'establishment', triggering the application of local data protection law.
This article was first published in the IAPP's Privacy Tracker.