With all privacy eyes focused on the expunging of Safe Harbor and the future of international data transfers, one could be forgiven for overlooking the Weltimmo judgment handed down by the Court of Justice of the European Union (CJEU) on 1 October 2015. Yet, the decision has potentially far-reaching implications in practice as it addresses a question frequently faced by multinationals operating across multiple EU jurisdictions, namely which one of the various national data protection laws they must comply with. Taking a step back – in 2014, in the landmark Google ‘Right to be Forgotten’ decision, the CJEU shook up the privacy world when it ruled that EU data protection law applies to a non-EU based data controller with subsidiaries or branches in the EU to the extent a link can be established between the local subsidiary/branch and the data processing activities of the non-EU based data controller. In Weltimmo, the starting point was a little different in that the question was not whether EU data protection law applied but which member state’s law applied.
The dispute and referral to the CJEU
Weltimmo, a company registered in Slovakia and without a formal branch or office in Hungary, operates a property website concerning Hungarian properties. Within that context, it processes personal data of Hungarian advertisers. A dispute arose about Weltimmo’s data processing activities, and the advertisers complained to the Hungarian supervisory authority which fined Weltimmo for violating Hungarian data protection law. Weltimmo sought judicial review and after a long legal battle, the Hungarian Supreme Court referred the matter to the CJEU asking whether the matter was indeed subject to Hungarian law and whether the Hungarian supervisory authority was competent to impose the fine. In order to answer those questions, the CJEU had to decide:
- what constitutes an “establishment” under the Data Protection Directive triggering the application of national member state law; and
- which competencies national data protection authorities (“DPAs”) have in cross-border matters.
The CJEU’s ruling regarding the applicable law
By way of background, the national data protection law of an EU member state applies to the processing of personal data to the extent the processing is carried out in the context of the activities of an establishment, of the controller, in the territory of that member state. Art.4 of the Data Protection Directive further clarifies that when the same controller is established in several member states, it must ensure that each of these establishments complies with the applicable national law. The CJEU held that the concept of establishment must be interpreted broadly to extend to any real and effective activity, even a minimal one, exercised through stable arrangements. The CJEU rejected a formalistic approach whereby undertakings are established solely in the place where they are registered. Rather, in order to determine whether a data controller has an “establishment” in a member state other than the member state or third country where it is registered, both the degree of stability of the arrangements and the effective exercise of activities in that other member state must be interpreted. This exercise must be carried out in light of the relevant economic activities and (in this case) provision of services. The following facts (subject to verification by the Hungarian court) led the CJEU to conclude that the relevant data processing activities were carried out by Weltimmo in the context of the activities of an establishment in Hungary:
- a website written in local language targeting Hungary;
- a representative permanently present in Hungary for debt collection and administrative/ judicial proceedings; and
- a letter box and a bank account in Hungary.
This triggered the application of Hungarian data protection law even though Weltimmo was a company registered in Slovakia without formal undertakings in Hungary. Notably, the fact that the website users were Hungarian citizens was considered irrelevant. Further, the CJEU stated that in certain instances, the appointment of a local representative alone can suffice for there to be stable arrangements which trigger the applicability of EU national law.
The CJEU’s ruling regarding DPA competencies
Regarding national DPA competencies, the CJEU ruled that national DPAs have the power to investigate data protection complaints irrespective of the applicable law and, consequently, even if the law applicable to the data processing is that of another member state. The CJEU further held that to the extent a DPA is considering complaints under the national law of another member state, it does not have the power to impose fines as this would violate the territorial sovereignty of the other member state. It would, instead, need to request the other DPA to intervene and impose sanctions.
Businesses carrying out activities, even minimal ones, in more than one EU member state, are potentially required to comply with the national privacy laws of each such member state (regardless of whether or not they are headquartered in the EU and regardless of whether they have subsidiaries or branches or other formal undertakings in those jurisdictions). Those businesses – particularly online businesses – currently taking the view that they need only comply with the data protection law of one EU member state because they are registered in that member state or because they have publicly appointed an entity based in that member state as their data controller for the EU, will need to reassess and potentially revise their EU privacy strategy in light of the Weltimmo decision. This is not to say that the Weltimmo decision is without its challenges. The court’s approach is arguably at odds with the digital single market idea. In applying the court’s decision, certain scenarios will not be clear cut. Some arrangements would need to be carefully considered on their facts. For example, Weltimmo did not carry out any activity in Slovakia where it was registered and had moved its registered office between member states on several occasions. These facts, no doubt, played a crucial part in the decision. Overall, care should be taken to ensure any EU data protection strategy does not serve (or is not seen to serve) the purpose of circumventing national privacy laws or protections for individuals. But businesses should also consider their activities in individual member states and assess whether these are likely to bring them within the realms of national data protection law. There is certainly a global trend towards a broader interpretation of the territorial scope of national data protection laws. This trend is pursued by various stakeholders. For example:
- National courts are starting to interpret existing national data protection law more broadly to capture foreign data controllers that target local markets or users. We have already seen a Belgium court embracing the Weltimmo judgment and applying Belgium data protection law to a company headquartered outside of Belgium. And in a recent German case, a court applied German data protection law indirectly through the back door of the German law on standard terms.
- Regulators, through various developments, feel increasingly empowered to apply local data protection law in cross-border contexts.
- Legislators are starting to enshrine a broad territorial scope in the actual data protection legislation. The incoming EU Data Protection Regulation is the most prominent example of late. If and when adopted, it will expressly apply to the data processing activities of organisations not established in the EU to the extent the processing activities are related to the offering of goods or services to individuals residing in the EU or monitoring the behaviour of individuals in the EU.
Multinationals are well advised to keep a close eye on future developments in this space and prepare themselves for a broader territorial scope of national data protection laws. If you would like to discuss your EU data protection strategy in light of the judgment or obtain further information on the decision, please contact your usual Baker & McKenzie contact.