Weltimmo v. Hungarian Data Protection Authority: EU Rules on What It Means To Be “Established” in a Jurisdiction

Foley Hoag LLP - Security, Privacy and the Law
Contact

While the Schrems decision invalidating the US-EU Safe Harbor Program is rightly attracting a great deal of attention (as well as blogging and webinars) – and leaving many wondering what to do in the absence of the US-EU Safe Harbor System – companies doing business in the EU need also to consider the impact of another recent decision, reached just days before Schrems.  In Case c-230/14, Weltimmo s. r. o.  v. Nemzeti Adatvédelmi és Információszabadság Hatóság (Weltimmo v. Hungarian Data Protection Authority), the European Court of Justice considered how the EU Data Protection Directive applies to companies operating across multiple jurisdictions and, in particular, what it means for a company to be “established” within a particular jurisdiction.

“Establishment” matters because a company is bound by the data protection laws of any and all member states in which it is “established,” and these laws are not uniform.  The Directive creates a Union-wide objective of data protection, but leaves implementation to member states.  (A directive, in EU parlance, differs from a regulation, which is a binding, uniform requirement applicable to all member states.)  What constituted “establishment” was unclear prior to Weltimmo, but was often thought to mean where an entity was physically headquartered.

In Weltimmo, however, the Court took a much more expansive view of “establishment.”  This is not surprising, because the Directive itself defines “establishment” broadly: “the effective and real exercise of activity  through stable arrangements […] the legal form of such an establishment, whether branch or subsidiary within a legal personality, is not the determining factor in this respect.”  The Court noted that this “departs from a formalistic approach whereby undertakings are established solely in the place where they are registered,” and allowed that an entity may be “established” in a state where it “exercises, through stable arrangements in the territory of that Member State, a  real and effective activity – even a minimal one – in the context of which [data] processing is carried out.”  (“Processing” is likewise defined broadly by the Directive.)

The decision is hardly model guidance for companies, leaving them (and their lawyers) to puzzle out what “stable arrangements” and “real and effective activity” mean.  Some lessons can be drawn from what the Court says about the actual facts of the case; the Court found it important that the website in question was “written in [the] Member state’s language,” concerned advertisements of “properties situated in the territory of [the] Member State,” and was “mainly or entirely directed at [the] Member State.”  In any event, Weltimmo should cause companies to think about whether the laws of more than one member state may apply to their activities.

These same companies should also monitor the ongoing negotiations about the General Data Protection Regulation, which is expected to be adopted early next year.  How exactly the principles laid down in the Weltimmo decision may interact with the Regulation is difficult to foresee, because the text is still under negotiation, but the Regulation may result in more consistent standards across multiple jurisdictions.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP - Security, Privacy and the Law | Attorney Advertising

Written by:

Foley Hoag LLP - Security, Privacy and the Law
Contact
more
less

Foley Hoag LLP - Security, Privacy and the Law on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.