What is this case about ?
This case is a ruling from the European Court of Justice (Case C-230/14 of 1 October 2015) about the ability of national EU Member State data protection regulators to deal with matters involving organisations situated beyond their borders.
What is the background to this case ?
A Slovakian registered company called Weltimmo ran a property business advertising Hungarian properties on its website. The adverts were free of charge for a month but after that Weltimmo charged for them. A number of property owners (the advertisers) sent a request by e-mail for the deletion of both their adverts and their personal data at the end of the first month. Weltimmo did not delete the data and charged the interested parties for the price of its services. Weltimmo was not however paid and so it forwarded the personal data of the advertisers to debt collection agencies.
The advertisers lodged complaints with the Hungarian data protection regulator who, having determined that the collecting of data by Weltimmo constituted data processing, fined Weltimmo HUF 10 million (approximately €32,000) for infringing Hungarian data protection law. Weltimmo contested that decision before the Hungarian courts.
The case eventually reached the Hungarian Supreme Court who then referred the case to the European Court of Justice for an interpretation of EU law, essentially on the question of whether EU Data Protection Directive 95/46 (which the Hungarian data protection law implemented) allows an EU Member State data protection regulator to apply its national data protection law to a data controller whose company is registered in another EU Member State, but who, in this particular factual scenario, runs a property dealing website concerning properties situated in the territory of the first Member State.
The Court ruled that yes, it does. A national data protection regulator has jurisdiction under its national data protection law to deal with an organisation mainly established in another EU Member State.
What factors does the judgment suggest are significant regarding the territorial scope of domestic data protection laws ?
The key issue concerns the notion of “establishment”. Generally-speaking, if an organisation based in one EU Member State can be said to be “established” in another EU Member State then a data protection regulator will have jurisdiction over that organisation. More particularly, the issue is about where data processing is carried out in the context of activities conducted on an EU Member State’s territory by an “establishment” of the data controller. In connection with this the Court highlighted that the presence of only one representative can, in some circumstances, be enough to constitute an “establishment” if that representative acts with a sufficient degree of stability for the provision of the services concerned in the EU Member State in question. The Court also stated that the concept of “establishment” extends to “any real and effective activity”, even a minimal one, exercised through “stable arrangements”.
On the facts of the Weltimmo case, the European Court indicated that “establishment” was made out in Hungary, although ultimately this is an issue for the Hungarian Supreme Court to decide as the European Court also pointed out.
Does this present issues for transnational organisations or national regulators ?
For national EU Member State data protection regulators this ruling clarifies that the scope of their jurisdiction can be extensive. The devil will be in the detail of determining whether in a given case, when a regulator receives a data protection complaint concerning an organisation based in another EU Member State that in particular is providing services over the Internet, that organisation can be said to be “established” in the Member State of the regulator enabling it to take action.
This ruling does present issues for organisations such as businesses because this means that there is now more risk for them because, depending on the territorial scope of their activities, they may have to concern themselves with data protection regulators in several (if not all) EU Member States.
This doesn’t augur well either as regards the “one stop shop” that is a key component of the proposed EU Data Protection Regulation (which will eventually replace EU Data Protection Directive 95/46), especially when also coupled with the European Court’s recent very significant ruling in the Schrems case (Case C-362/14, 6 October 2015), which also confirmed extensive powers for national data protection regulators.
What should lawyers advise their clients?
Organisations should be aware that when they are doing business in multiple EU Member States, data protection legislation could bite where they are targeting customers, rather than where they are legally headquartered. When considering collecting personal data in a new jurisdiction, they should consider carrying out a privacy impact assessment, as recommended in the proposed EU Data Protection Regulation, to ensure that local rights are not infringed; but if a significant presence is in any given Member State, or a particular nationality is targeted by your activity, local advice should be taken.
This article was first published on Lexis®PSL IP & IT on 12 October 2015. Click for a free trial of Lexis®PSL.
Andre Bywater and Gayle McFarlane are lawyers with Cordery in London where they focus on regulatory compliance, processes and investigations.
Gayle McFarlane, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 118 2700
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785