After the controversial Google vs. Spain decision (which besides the right to be forgotten also dealt with applicable law rules), the Court of Justice of the EU (CJEU) handed down another important – and yet again rather controversial – decision on 1 October 2015.
The ground-breaking decision on applicable data protection law comes from Hungary and concerns Slovakian company Weltimmo s.r.o. and the Hungarian data protection authority (case C-230/14). With the recent buzz around the Schrems vs. Facebook judgment of the CJEU by which the court declared the Safe Harbor scheme invalid and Weltimmo not being a big global player, the judgment (wrongly) failed to receive the attention it deserved. The Weltimmo case addresses two important questions:
1.What is the applicable data protection law and how do the rules differ for Internet companies?
2.Which data protection authority has competence to impose sanctions?
Multinational companies face these important questions every day. The character of companies operating in several countries often makes it difficult to decide on applicable law and on which authority has a mandate to impose sanctions. Answering these questions is even more difficult for Internet companies which are able to run their businesses from a single laptop.
Weltimmo, a small Slovakian company, had a website on which Hungarian real estate advertisements were published and where the advertisers’ personal data were processed. The advertising service was free of charge for the first month, and then subject to a fee. Several Hungarian advertisers emailed the Slovak company and requested deletion of their advertisement and their personal data following the expiry of the one-month free period. Weltimmo ignored such requests and transferred the advertisers’ personal data who had failed to make payment to a debt collection agency.
Advertisers filed complaints with the Hungarian data protection authority, which imposed a fine of HUF 10 million (approximately €32,000) on Weltimmo, claiming breach of Hungarian data protection legislation.
The Hungarian data protection authority concluded that Hungarian (and not Slovak) law applied principally because: (i) Weltimmo collected the personal data in Hungary; and (ii) Weltimmo had a “Hungarian contact person” (a shareholder who was a Hungarian national residing in Hungary) who represented Weltimmo in Hungarian administrative proceedings.
The Hungarian Supreme Court hearing the case asked the ECJ whether the Hungarian data protection authority was competent to apply Hungarian data protection rules and impose fines.
A broad definition of “establishment”
Article 4(1)(a) of Directive 95/46/EC provides that national data protection laws apply where the processing is carried out in the context of the activities of an establishment of the controller in the Member State. When the same controller is considered to be established in several Member States, it must ensure that each of these establishments complies with the national law.
The CJEU interpreted the notion of establishment very broadly in this case. In its view, “establishment” is defined by: (i) the degree of stability of the arrangements; and (ii) the effective exercise of activities in that other Member State. The CJEU further stated that the concept of “establishment” extends to any real and effective activity – even a minimal one – exercised through “stable arrangements”. A local representative in a country is already sufficient to be considered as an establishment.
As regards offering services exclusively over the Internet, the CJEU added that the presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability and with recourse to the presence of the necessary equipment for the provision of the specific services concerned in the Member State in question.
The CJEU further held that the running of websites written in the local language of a Member State must be deemed pursuing an effective activity in that Member State (and hence involving establishment). Use of the data for invoicing purposes, uploading personal data on a website and debt collection are considered as sufficient activities performed in the context of the activities of what can be deemed an establishment.
Consequently, the laws of the Member State in which a controller is established (which may simultaneously involve several national laws) apply.
What are the consequences?
This broad interpretation of the term “establishment” would thus cover the application of all national EU laws in which a company has an affiliate, a branch or even an employee with a laptop (on a permanent or semi-permanent basis). As a result, steps towards compliance (such as the filing of registrations) would have to be performed in each Member State where a company is established. The application of local laws would also lead to competency as regards the local data protection authorities for the supervision of the activities performed though the local establishments. Multinational companies would thus have to comply with various EU data protection laws, each having specific differences and particularities.
Such decision is probably not entirely conducive for the (idea of a) single digital market. One could even ask whether such a broad interpretation is even necessary, given that all EU citizens are already granted the same minimum data protection rights as soon as the data controller is established in one of the EU Member States.
The CJEU also doesn’t seem to have taken into account the situation where, within a corporate group, a certain group entity located in another Member State could actually be in the position of being a “data processor” for another group entity which acts as the “data controller”. In fact, surprisingly the Weltimmo decision does not refer to the concepts of “controller” and “processor” at all.
One thing is clear, this decision will complicate data protection compliance for multinational corporations and make such compliance more burdensome – and a lot more costly.
The authority competent for imposing sanctions
Where a company is not deemed to be established in a Member State, the local data protection authority has only limited powers, according to the CJEU. It may hear a claim and analyse it, but any sanction can only be imposed by the Member State authority whose laws apply. This means that, where a company has no establishment in a Member State, nothing changes as regards the current situation, i.e. if an authority of such Member State wants to investigate a claim, it would have to contact the competent authority. The question is, however, which authority would be deemed the competent authority if a company is established in several Member States. We assume that this would also depend on the facts of each specific case.
The decision does not analyse how (and whether) data protection authorities may share information with one other when further restrictions on data sharing (such as banking secrecy) would apply. It remains to be seen how these restrictions could affect the potential for such cooperation among data protection authorities when even multiple national privacy laws would continue to apply.
Conclusion and practical aspects
The Weltimmo judgment is far-reaching and makes data protection compliance more difficult and burdensome. Companies that want to avoid being subject to data protection compliance in several Member States should carefully consider the extent of basing their staff and other facilities in countries where they do not want to be deemed established. Internet businesses may find it more difficult to claim that they are not established there.
The decision might have further “undesired” consequences, such as for instance from a tax perspective. If a company is established for data protection purposes, does this also mean that such concept of establishment is reflected in the meaning of tax laws? This point remains debatable.