On 1 October 2015 the Court of Justice of the European Union (CJEU) presented a landmark ruling concerning the application of national data protection law and the power of national data protection supervisors. It decided that a company can be held liable by the Data Protection Authorities (DPA) of a member state for breaching data protection law despite being neither registered nor headquartered in that state. A real and effective activity – even a minimal one – which includes the processing of data will suffice to apply the national data protection law of that EU member state.
The case was brought up by the Hungarian DPA against Weltimmo, a company registered in Slovakia which runs a property dealing website advertising properties located in neighbouring Hungary. Many advertisers requested the deletion of both their advertisements and their personal data after the expiration of the free one-month trial period. Weltimmo did not delete their data, but instead started charging for its services and continued forwarding the personal data of many advertisers to debt collection agencies, which led to complaints being lodged with the Hungarian DPA. The latter ultimately imposed a fine on the company of approximately €32,000.
The CJEU had to decide whether the Hungarian DPA was the competent authority to impose a fine on a Slovakian-registered company.
The answer very much depended on the interpretation of Article 4 (1)(a) of Directive 95/46 which provides that:
‘1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:
(a)the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; (…)’
The CJEU held that this provision cannot be interpreted restrictively and that it must be seen in the light of the fundamental rights, and in particular the right to privacy with respect to the processing of personal data.
It then considered recital 19 of the preamble of Directive 95/46 which states, inter alia, that the concept of ‘establishment’ on the territory of one member state implies the effective and real exercise of activity through stable arrangements. Taking into account the following details of the case, the CJEU ruled in favour of the Hungarian DPA.
Remarkably, Weltimmo did not carry out any activity at the place where it had registered its office. Instead, it moved this registered office from one state to another. The property dealing websites were written exclusively in Hungarian. A bank account had been created in Hungary, which was intended for the recovery of its debts, and a letter box in Hungary served for its everyday business affairs. A representative, based in Hungary and listed in the Slovak companies register with an address in Hungary, served as point of contact between the company and the data subjects who had lodged complaints, and this individual represented the company in the administrative and judicial proceedings.
The CJEU held that these circumstances, if verified by the national Supreme Court in Hungary, were sufficient to affirm the existence of an ‘establishment’ in Hungary within the meaning of Article 4 (1)(a) of Directive 95/46, as they included a stable arrangement and a real and effective activity. The Hungarian DPA in this case would therefore have the competence to impose a fine on the Slovak-registered company.
In contrast, if the DPA of one member state comes to the conclusion that the law applicable to the processing of personal data is the law of another member state, it cannot impose penalties on the controller of the data as they are not established within the DPA’s jurisdiction. Instead, the DPA should in this case pursue its duty of cooperation and forward the request to the national DPA which does have the competence in accordance with Article 28(6) of the 95/46 Directive.
The way forward
The judgment will certainly have an impact on many companies which thought that they would be safer registering in a state other than in the one(s) in which they are operating. Minimal effective but real data activities in another country can now lead to the application of a jurisdiction that is undesired, and which they initially intended to avoid.
Before this ruling, companies were likely to establish their headquarters in those states with more liberal data protection laws such as Ireland and UK, thus providing business-friendlier legal environments. Businesses would then fall only under that member state’s jurisdiction. This convenient approach taken by many companies will now come to an end. As a result of the CJEU’s ruling, companies will likely no longer adopt this approach, because this judgment removes that advantage.
This judgment broadens the competence of DPAs and might lead to greater compliance issues for multinational companies operating web services across several EU member states, such as Facebook and Google. The CJEU ruling on the Schrems case, which followed a couple of days later, reinforces the approach taken in this judgment and even goes a step further by completely invalidating the EU-US Safe Harbour Decision, ensuring that individuals are not deprived of the protection to which they are entitled under the 95/46 Directive. While the Commission has to negotiate a new agreement with the US, national DPAs are in charge of deciding whether personal data can be transferred across borders.
The Schrems case might have stolen a little of the Weltimmo judgment’s thunder, but while the Schrems case mainly impacts the trans-border transfer of data to a third party outside the EU, the Weltimmo case concerns data breach situations within the EU and should therefore by no means go unnoticed. The two judgments in the end complement each other in respect of how data protection law applies in the online environment.
It remains to be seen what impact these judgments will have on the upcoming General Data Protection Regulation, which will soon replace the 95/46 Directive.
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.