After the controversial Google Spain decision (which besides the right to be forgotten also dealt with applicable law rules), the Court of Justice of the EU (CJEU) handed down another important – and yet again rather controversial – decision on 1 October 2015.

The decision on applicable data protection law, the test at law for determining which national data protection law or laws apply to processing of personal data, comes from Hungary and concerns Slovak company Weltimmo s.r.o. and the Hungarian data protection authority (case C-230/14).

With the recent buzz around the Schrems vs. Facebook judgment of the CJEU by which the court declared the Safe Harbor scheme invalid, and Weltimmo not being a big global player, the judgment (wrongly) failed to receive the attention it deserved. The Weltimmo case addresses two important questions:

− What is the threshold for an establishment and how do the rules on applicable law apply to Internet companies?

− Which data protection authority has competence to impose sanctions?

Multinational companies face these important questions every day. The structure and organisation of companies operating in several countries often makes it difficult to decide on applicable law and on which authority has competence to impose sanctions. Answering these questions is even more difficult for Internet companies, which are able to run their businesses potentially from a single laptop.

The facts

Weltimmo, a small Slovak company, had a website on which Hungarian real estate advertisements were published and where the advertisers’ personal data were processed. The advertising service was free of charge for the first month, and then subject to a fee. Several Hungarian advertisers emailed the Slovak company and requested deletion of their advertisement and their personal data following the expiry of the one-month free period. Weltimmo ignored such requests and transferred the advertisers’ personal data who had failed to make payment to a debt collection agency.

Advertisers filed complaints with the Hungarian data protection authority, which imposed a fine of HUF 10 million (approximately €32,000) on Weltimmo, on the basis of breach of Hungarian data protection legislation.

The Hungarian data protection authority concluded that Hungarian (and not Slovak) law applied principally because: (i) Weltimmo collected the personal data in Hungary; and (ii) Weltimmo had a “Hungarian contact person” (a shareholder who was a Hungarian national residing in Hungary) who represented Weltimmo in Hungarian administrative proceedings.

The Hungarian Supreme Court hearing the case asked the CJEU whether the Hungarian data protection authority was competent to apply Hungarian data protection rules and impose fines.

A broad definition of “establishment”

Article 4(1)(a) of Directive 95/46/EC provides that national data protection laws apply where the processing is carried out in the context of the activities of an establishment of the controller in the Member State. When the same controller is considered to be established in several Member States, it must ensure that each of these establishments complies with the national law.

The CJEU interpreted the notion of establishment very broadly in this case. In its view, “establishment” is defined by: (i) the degree of stability of the arrangements; and (ii) the effective exercise of activities in that other Member State. The CJEU further stated that the concept of “establishment” “extends to any real and effective activity – even a minimal one – exercised through stable arrangements”. The notion of “in the context of the activities” was already broadly defined by the CJEU in its Google Spain judgement (C-131/12), to which reference is made in the Weltimmo judgement.

As regards offering services exclusively over the Internet, the CJEU held that the presence of only one representative may, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability and with recourse to the presence of the necessary equipment for the provision of the specific services concerned in the Member State in question.

The CJEU further held in the case at hand that the running of a website written in the local language of a Member State must be deemed pursuing an effective activity in that Member State (and hence involve carrying on an activity “in the context of”, such an establishment).

Use of the data for invoicing purposes, uploading personal data on a website and debt collection are considered in the case at hand as activities carried on in the context of an establishment.

The authority competent for imposing sanctions

Where a company is not deemed to be established in a Member State, the local data protection authority has only limited powers, according to the CJEU. It may hear a claim and analyse it, but any sanction can only be imposed by the Member State authority whose laws apply. This means that, where a company has no establishment in a Member State, nothing changes as regards the current situation, i.e. if an authority of such Member State wants to investigate a claim, it would have to contact the competent authority. The question is, however, which authority would be deemed the competent authority if a company is established in several Member States. This would likely depend on the facts of each specific case.

The decision does not analyse how (and whether) data protection authorities may share information with one other when further restrictions on data sharing (such as banking secrecy) would apply. It remains to be seen how these restrictions could affect the potential for such cooperation among data protection authorities when multiple national privacy laws would continue to apply.

What are the consequences?

This broad interpretation of the terms “establishment” and “in the context of the activities”, at least regarding Internet based activities, could result in the application of multiple national EU laws across each jurisdiction in which a company has an affiliate, a branch or even an employee with a laptop (on a permanent or semi-permanent basis).

As a result, steps towards compliance (such as the filing of registrations with data protection authorities) would have to be performed in each Member State where a company is established and processes personal data in the context of its activities.

The application of local laws would also lead to competency as regards the local data protection authorities for the supervision of the activities performed though the local establishments. Although, at the same time, the jurisdiction of data protection authorities will not extend beyond the establishment within their jurisdiction. Multinational companies would thus have to comply with multiple EU data protection laws, each having specific differences and particularities.

The decision is arguably not conducive to the (idea of a) single digital market. One could even ask whether such a broad interpretation is even necessary, given that all EU citizens are already granted the same minimum data protection rights (under Directive 95/46/EC) as soon as the data controller is established in one of the EU Member States.

The CJEU also doesn’t seem to have taken into account the situation where, within a corporate group, a certain group entity located in another Member State could actually be in the position of being a “data processor” for another group entity which acts as the “data controller”. In fact, surprisingly the Weltimmo decision does not refer to the concepts of “controller” and “processor” at all.

This decision may complicate data protection compliance for multinational internet corporations and make such compliance more burdensome – and more costly.

Conclusion and practical aspects

The Weltimmo judgment is potentially far-reaching and may make data protection compliance for some businesses offering services/products or otherwise operating across multiple Member States more difficult and burdensome. Companies which offer their services via the Internet in various jurisdictions should carefully consider whether to locate their staff and other facilities in countries where they do not want to be deemed established, to avoid being subject to data protection compliance in several Member States. Internet businesses may find it more difficult to claim that local laws are not applicable to them outside the country of their “main” establishment.

In many respects, this judgment arguably brings forward certain proposed changes to the applicable law rules set out in the draft General Data Protection Regulation, which would make any entity offering goods or services into the EU subject to EU data protection laws.