How should online businesses determine which data protection laws to comply with, and how should multiple claims to jurisdiction over the national application of data protection laws be resolved?

Much has been written in the last week about the ruling of the Court of Justice of the EU (CJEU) in holding that EU Commission Decision 2000/520/EC on the adequacy of protection provided by the EU-US Safe Harbour programme should not prevent EU national data protection authorities from suspending data transfers to the US and should be declared invalid (Maximillian Schrems v Data Protection Commissioner), as discussed by Sophie here. This decision provides increased prominence to the roles of national data protection agencies.

In contemplating what this might mean for future data protection requirements in the EU, two other pieces of recent news are worth mentioning to ‘complete the legal picture’ in respect of how data protection law applies in an online environment where territorial boundaries for legal purposes are not always clear-cut.

In this post I will discuss another recent landmark judgement by the CJEU that has significance for multinational companies operating across multiple EU Member States under EU law. In my second post, to be published shortly, I will discuss news that the European Commission has concluded negotiations of a data protection ‘umbrella agreement’ with the US, and consider its implications for EU citizens and the Schrems decision.

First, discussion of the CJEU decision in Weltimmo s. r. o. v Nemzeti Adatvédelmi és Információszabadság Hatóság. On the facts of the case, Weltimmo is a company operating with a registered office in Slovakia that operates a property-dealing website. This website advertises properties in neighbouring Hungary, initially for free and then for a fee charged to the advertisers (property owners) after one month, which involves processing their personal data. Requests by Hungarian advertisers to Weltimmo to delete their advertisements and personal data were ignored. Instead, charges were imposed, which debt collection agencies sought to recover via access to the associated personal data.  Complaints were subsequently made to the Hungarian data protection agency, which imposed a fine on the company for its conduct. Weltimmo, in turn, challenged this fine in court based on its argument that – as it was registered in Slovakia – Hungarian data protection law did not apply to it.

The Hungarian court then referred various questions about jurisdiction to the CJEU by way of a request for a preliminary ruling. Most notably, to paraphrase questions 1-6, in circumstances such as those at issue, it was asked how should the Data Protective Directive be interpreted regarding its following provisions:

• Can Article 28(1) be interpreted as meaning that the provisions of national law of a Member State are applicable in its territory to a data controller registered in another Member State, but who runs a property-dealing website concerning properties situated in the original Member State?
• Can Article 4(1)(a), read in conjunction with Recitals 18 – 20 of its preamble and Articles 1(2) and 28(1) thereof, be interpreted as meaning that the Hungarian data protection agency may not apply Hungarian data protection law to such data controller?

In other words, how should a data protection agency (so-called “supervisory authority” in the language of Article 28) decide if it has jurisdiction to apply its national law when a data controller company is registered in another Member State. In particular, the referring court asks whether it is significant that this other Member State is a Member State:

–        at which the activity of the controller of the personal data is directed,

–        where the properties concerned are situated,

–        from which the data of the owners of those properties are forwarded,

–        of which those owners are nationals, and

–        in which the owners of that company live?

In its decision, the CJEU considered the criteria for establishing which local data protection laws apply to the processing of personal data. In particular, it re-examined the question of what constitute a company’s ‘establishment’ within a country. As set out in Article 4(1)(a) of the Directive, “Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where…(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State…when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable”. It is noteworthy, here, that the Directive explicitly recognises that other Member States’ laws could be triggered by the location of establishments of the same controller in those territories depending on the context in which processing activities are carried out there.

[For background on the concept of an ‘establishment’, Recital 19 of the Directive provides that it requires “the effective and real exercise of activity through stable arrangements” and legal form is not a determining factor. The CJEU has, in turn, considered in past cases that a stable establishment requires that “both human and technical resources necessary for the provision of particular services are permanently available” (see, e.g. Gunter Berkholz v Finanzamt Hamburg-Mitte-Altstadt, at para 18). In this manner, the territorial scope of the Directive by the EU legislature has been interpreted as being particularly broad.

When trying to establish in the context of whose activities personal data is being processed – which is different from a requirement that the processing of personal data in question be carried out ‘by’ the establishment concerned itself – the Article 29 Working Party has previously opined that data controllers should take into account (page 14):

• The degree of the establishment’s involvement in the activity. In other words, it is important to ascertain which establishment is responsible for which activities, so as to be able to determine whether the data processing carried out by that establishment can be seen to form part of its own activities or those of another establishment.
• The nature of the establishment’s activities. Determining whether data processing is taking place in the context of a particular activity largely depends on the nature of these activities.

In this context, the Working Party suggests (page 15) that, “A functional approach should be taken in the analysis of these criteria: more than the theoretical evaluation made by the parties about the law applicable, it is their practical behaviour and interaction which should be the determining factors: what is the true role of each establishment, and which activity is taking place in the context of which establishment?”. Depending on the results of this analysis, different processing activities carried out by the same establishment may therefore be governed by the laws of different Member States.]

In the present case, the CJEU also took a flexible and broad approach to the concept of ‘establishment’ in light of the Directive’s objective of the protection of fundamental rights and freedoms. It states (para 29-33):

“Accordingly, in order to establish whether a company, the data controller, has an establishment, within the meaning of Directive 95/46, in a Member State other than the Member State or third country where it is registered, both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned. This is particularly true for undertakings offering services exclusively over the Internet. In that regard, it must, in particular, be held, in the light of the objective pursued by that directive, consisting in ensuring effective and complete protection of the right to privacy and in avoiding any circumvention of national rules, that the presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State in question. In addition, in order to attain that objective, it should be considered that the concept of ‘establishment’, within the meaning of Directive 95/46, extends to any real and effective activity — even a minimal one — exercised through stable arrangements.”

The CJEU goes on to say that, on the facts of the present case, the following factors were determinative of a legal finding that Weltimmo has an ‘establishment’ in Hungary within the meaning of Article 4(1)(a): it operated a service in the Hungarian language of that Member State (and thus, its services were directed to a lesser or greater extent at Hungary), it opened a bank account there, and it had a letter box there. It also had a Hungarian representative (one of Weltimmo’s owners), who served as a point of contact between the company and the Hungarian advertisers in debt collection negotiations and proceedings.

On the issue of how to establish whether the processing of personal data at issue is carried out ‘in the context of the activities’ of that establishment, the CJEU also found that personal data processing was carried out in the context of the activities of that Hungarian establishment by Weltimmo upon appropriate legal grounds, so that Hungarian data protection law may be deemed to apply if the facts alleged were subsequently substantiated by the Hungarian referring court.

In respect of a 7^th question, the CJEU was asked, (to paraphrase), what should happen if a third country supervisory authority decides that it does not have jurisdiction?  In particular, would the Hungarian data protection agency still be able to impose a penalty on Weltimmo if it decided that Weltimmo was not established in Hungary and that Slovakian law applied instead? The Court concluded that where a complaint is made to a data protection agency it may, pursuant to Article 28(4) of the Directive, examine the complaint irrespective of the applicable law having been determined or not. However, upon determination by the authority that the law of another member state applies, it may only exercise its intervention powers under Article 28(3) within its own territory and cannot impose a penalty on a controller which is not established in its territory. It should, instead, in accordance with Article 28(6), request action by the supervisory authority within the Member State whose law is applicable.

In summary, therefore, the Weltimmo decision’s analysis of the jurisdiction and responsibilities of different data protection authorities could give national data protection agencies more confidence in their powers to enforce domestic data protection laws in respect of companies operating across multiple EU countries – in particular, in respect of companies operating websites that offer services specifically targeted at their Member State, yet with minimal (but stable) physical operations therein. In practical terms, this means that a piecemeal country-by-country approach to EU-wide data protection compliance by organisations may become more commonplace.

Another important legal implication of the case relates to the fact that the data protection reform trilogue negotiators are currently considering the interaction between the jurisdictions of national data protection agencies and associated problems in practice. It was in response to such problems that the ‘one-stop-shop’ approach to regulation across the EU and EEA was proposed. (In this respect, see my earlier post here). It remains to be seen what influence the judgement will have on the text of the new Regulation.

Finally, the case is a stark reminder that the issue of the nationality of the data subjects associated with an act of personal data processing is irrelevant to determining whether EU data protection rules apply.

Alison Knight