National EU member state courts, as well as the European Court of Justice (ECJ), have struggled for several years to define the scope of application of EU data protection law in individual member states. In a decision that provides important guidelines on the competence of, and co-operation between, national data protection authorities (DPAs), the ECJ has clarified how data protection law applies in cross-border situations within the EU (Weltimmo sro v Nemzeti Adatvédelmi és Információszabadság Hatóság C-230/14).
The Underlying Dispute
Weltimmo, a company registered in Slovakia, operates a website targeting the Hungarian market and providing real estate brokering services for properties located in Hungary. Weltimmo processes the personal data of users who advertise properties on the website. Initially, users can use the website for free advertising but, after a month, Weltimmo requires them to pay a fee.Some users demanded that Weltimmo delete their advertisements and personal data after the first month. Weltimmo refused and continued to charge them. It transferred the personal data of users who did not pay outstanding fees to debt collectors.The Hungarian DPA decided that it was competent to deal with the matter and fined Weltimmo for violating Hungarian data protection law. Weltimmo challenged the fine in the courts and the Hungarian High Court referred specific questions regarding the interpretation of EU data protection law to the ECJ for a preliminary ruling.
The Meaning of Establishment
The ECJ had to decide what constitutes an establishment under the Data Protection Directive (95/46/EC) (the Directive) and so triggers the application of a member state’s data protection law (see box “Data Protection Directive“).The ECJ mostly followed the Advocate General’s opinion, confirming his view that the concept of an establishment must be interpreted broadly. The existence of an establishment, as interpreted under Article 4 (1)(a) of the Directive, only requires a real and effective activity, even a minimal one, which is exercised through stable arrangements. In relation to whether the existence of an establishment triggers national data protection law, it is irrelevant whether the processing of personal data is carried out by that establishment. The decisive point is rather that the data processing has to be conducted in the context of the activities of that establishment.The ECJ therefore applied a flexible definition of establishment, rather than taking a formalistic approach that undertakings are established solely in the place where they are registered. In particular, for companies offering services exclusively over the internet, the ECJ stated that establishment is to be interpreted based on the degree of stability of the arrangements and the effective exercise of activities. These factors must be interpreted in light of the specific nature of the relevant economic activities and provision of services.Applying this, the ECJ noted that certain information provided by the Hungarian DPA, if true, would demonstrate that Weltimmo had an establishment in Hungary. The relevant information was that Weltimmo had:
- A website targeting Hungary and using the Hungarian language.
- A representative in Hungary for representation in court proceedings and for debt collection.
- A letter box in Hungary.
- A Hungarian bank account.
The ECJ stated that if the Hungarian High Court verified this information, it would demonstrate that Weltimmo had an establishment in Hungary. The fact that the users were Hungarian citizens was irrelevant. The ECJ said that it was clear that Weltimmo processed data in the context of its activities in Hungary and so, subject to the Hungarian court’s confirmation of the facts, Hungarian data protection law would apply.
The ECJ also had to decide which national DPA is competent to deal with the matter and to what extent each DPA may take action. In considering the competence of national DPAs to handle alleged violations of data protection law, the ECJ distinguished between the DPAs’ investigative and sanctioning powers. Every member state’s DPA can be a contact point for individuals seeking protection for their personal data and so any such DPA may exercise its investigative power on behalf of an individual independently from the rules concerning applicable law.
However, Article 28(1), (3) and (6) of the Directive must be interpreted so that the exercise of a DPA’s power to impose sanctions is subject to applicable law. A DPA may only impose sanctions for activities that take place on its own territory. Anything else would constitute an infringement of territorial sovereignty, the principle of legality and the concept of the rule of law. Therefore, if a DPA decides that the data protection law of another member state applies, it should not impose sanctions but should request that other member state’s DPA to intervene.
If the Hungarian High Court concludes that Weltimmo’s activities do not qualify as an establishment in Hungary, the Hungarian DPA must seek the assistance of the Slovakian DPA to protect the rights of affected individuals, as the exercise of sanctions by the Hungarian DPA would be illegal.
Implications of the Decision
In this significant ruling, the ECJ has confirmed its view that even minimal activities in a member state can trigger the application of that member state’s data protection law. It clarified that this wide interpretation of the Directive is not only applicable in situations where the data controller is based outside the EU, such as inGoogle Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario CostejaGonzález, but also in intra-EU scenarios (C-131/12; see News brief “Google decision: the right to be forgotten“).
However, the ECJ still failed to set out clearly when data processing takes place “in the context of the activities” of an establishment. As a consequence, there is now a risk that EU-based companies that offer products or services online in several member states, with a contact address and a representative in those member states, are expected to comply with the data protection laws of potentially up to 28 countries.
In addition, this broad interpretation risks dislodging the long-standing country of origin principle under the Directive, under which a company established in one member state only has to observe the data protection law of that member state even when it processes personal data about individuals resident in other member states.
The decision also brings a new perspective on the competence of DPAs. Although member state’s DPAs are required to monitor data protection compliance independently from applicable law, they may not directly sanction non-compliance where the respective establishment is based in another member state. In these instances, the DPA is limited to investigating the facts and informing the relevant DPA where the controller is established. This DPA may then impose relevant sanctions.