Important decision on applicable data protection law
13 October 2015
After the controversial Google Spain decision (which besides the right to be forgotten also dealt with applicable law rules), the Court of Justice of the EU (CJEU) handed down another important – and yet again rather controversial – decision on 1 October 2015.
The decision on applicable data protection law, the test at law for determining which national data protection law or laws apply to processing of personal data, comes from Hungary and concerns Slovak company Weltimmo s.r.o. and the Hungarian data protection authority (case C-230/14).
With the recent buzz around the Schrems vs. Facebook judgment of the CJEU by which the court declared the Safe Harbor scheme invalid, and Weltimmo not being a big global player, the judgment (wrongly) failed to receive the attention it deserved. The Weltimmo case addresses two important questions:
− What is the threshold for an establishment and how do the rules on applicable law apply to Internet companies?
− Which data protection authority has competence to impose sanctions?
Multinational companies face these important questions every day. The structure and organisation of companies operating in several countries often makes it difficult to decide on applicable law and on which authority has competence to impose sanctions. Answering these questions is even more difficult for Internet companies, which are able to run their businesses potentially from a single laptop.
Advertisers filed complaints with the Hungarian data protection authority, which imposed a fine of HUF 10 million (approximately €32,000) on Weltimmo, on the basis of breach of Hungarian data protection legislation.
The Hungarian data protection authority concluded that Hungarian (and not Slovak) law applied principally because: (i) Weltimmo collected the personal data in Hungary; and (ii) Weltimmo had a “Hungarian contact person” (a shareholder who was a Hungarian national residing in Hungary) who represented Weltimmo in Hungarian administrative proceedings.
The Hungarian Supreme Court hearing the case asked the CJEU whether the Hungarian data protection authority was competent to apply Hungarian data protection rules and impose fines.
A broad definition of “establishment”
The CJEU interpreted the notion of establishment very broadly in this case. In its view, “establishment” is defined by: (i) the degree of stability of the arrangements; and (ii) the effective exercise of activities in that other Member State. The CJEU further stated that the concept of “establishment” “extends to any real and effective activity – even a minimal one – exercised through stable arrangements”. The notion of “in the context of the activities” was already broadly defined by the CJEU in its Google Spain judgement (C-131/12), to which reference is made in the Weltimmo judgement.
As regards offering services exclusively over the Internet, the CJEU held that the presence of only one representative may, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability and with recourse to the presence of the necessary equipment for the provision of the specific services concerned in the Member State in question.
The CJEU further held in the case at hand that the running of a website written in the local language of a Member State must be deemed pursuing an effective activity in that Member State (and hence involve carrying on an activity “in the context of”, such an establishment).
Use of the data for invoicing purposes, uploading personal data on a website and debt collection are considered in the case at hand as activities carried on in the context of an establishment.
The authority competent for imposing sanctions
The decision does not analyse how (and whether) data protection authorities may share information with one other when further restrictions on data sharing (such as banking secrecy) would apply. It remains to be seen how these restrictions could affect the potential for such cooperation among data protection authorities when multiple national privacy laws would continue to apply.
What are the consequences?
As a result, steps towards compliance (such as the filing of registrations with data protection authorities) would have to be performed in each Member State where a company is established and processes personal data in the context of its activities.
The application of local laws would also lead to competency as regards the local data protection authorities for the supervision of the activities performed though the local establishments. Although, at the same time, the jurisdiction of data protection authorities will not extend beyond the establishment within their jurisdiction. Multinational companies would thus have to comply with multiple EU data protection laws, each having specific differences and particularities.
The decision is arguably not conducive to the (idea of a) single digital market. One could even ask whether such a broad interpretation is even necessary, given that all EU citizens are already granted the same minimum data protection rights (under Directive 95/46/EC) as soon as the data controller is established in one of the EU Member States.
The CJEU also doesn’t seem to have taken into account the situation where, within a corporate group, a certain group entity located in another Member State could actually be in the position of being a “data processor” for another group entity which acts as the “data controller”. In fact, surprisingly the Weltimmo decision does not refer to the concepts of “controller” and “processor” at all.
This decision may complicate data protection compliance for multinational internet corporations and make such compliance more burdensome – and more costly.
Conclusion and practical aspects
In many respects, this judgment arguably brings forward certain proposed changes to the applicable law rules set out in the draft General Data Protection Regulation, which would make any entity offering goods or services into the EU subject to EU data protection laws.