Lorna Woods, Professor of Internet Law, University of Essex*
The CJEU recently gave judgment in the Weltimmo case, concerning the reach of data protection supervisors, ruling that one Member State’s supervisor can have jurisdiction on organisations mainly established beyond the border of that State. This ruling could have an impact on two key issues under discussion as regards the proposed data protection Regulation: the external scope of that Regulation (discussed here) and the powers of national data protection authorities and the relationships between them - particularly whether there should be a 'one-stop shop' for regulation (discussed here).
Weltimmo is a company registered in Slovakia. It runs a website advertising the sale of properties in Hungary and, for that purpose, it processes the personal data of the advertisers of the property. Many advertisers sent a request by email for the deletion of both their advertisements and their personal data but Weltimmo did not delete such data and charged the advertisers for the price of its services. As the sums claimed were not paid, Weltimmo forwarded the personal data of the advertisers to debt collection agencies. The advertisers complained to the Hungarian data protection office.
Article 28(6) of the Data Protection Directive specifies:
Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.
Weltimmo argued the Hungarian supervisor did not have jurisdiction but should instead have referred the matter to the Slovakian supervisory authority. The Hungarian authority referred, however, to Article 4 of the Directive, which states:
Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:
(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable….
The question then was where Weltimmo was established. In any event, no matter what the applicable law, the Hungarian authority took the view that under Article 28 it had jurisdiction. It was these questions of interpretation that were referred to the Court of Justice.
The Court's judgment broadly follows the approach of the Advocate General (Opinion 25thJune 2015). The Court determined that the national law applicable to the controller in respect of that processing must be determined in the light of Article 4; Article 28 deals with role and powers of the national authorities. So the key question was whether the processing was 'in the context of activities of an establishment' – and to ensure protection of fundamental rights, this concept should be interpreted broadly. In this, the Court referred to Google Spain (discussed here). Drawing on the approach of the Advocate General, the Court noted that the meaning of 'establishment' here is a broad and flexible concept – and specifically not just the question of where the data controller is registered. The test relates to:
both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned. This is particularly true for undertakings offering services exclusively over the Internet. [para 29]
The Court emphasised that the concept of 'establishment' extends to any real and effective activity, even a minimal one, exercised through stable arrangements. Specifically, depending on the circumstances, the presence of even one representative can suffice. In this case, Weltimmo was certainly established in Hungary. Not only was there a representative, a bank account and contact details in Hungary, but Weltimmo pursues a real and effective activity there.
Having determined that there is an establishment, the next question is whether the data processing takes place in connection with the activities carried out through that establishment. Again, we see the Court referring to its reasoning in Google Spain: that the processing is not required to be 'by' the establishment, but instead the broader concept of 'in the context of' activities carried out through it. The Court found that aspect satisfied here. In so doing, it noted that the nationality of those whose data was processed is not relevant. The analysis is all about the data controller not the data subject here. This reasoning suggests that the applicable law could be that of Hungary but the Court directed the national court to verify the finding of facts.
The Court continued that, in the event of the application of the law of another Member State, Article 28 of the Directive would come into play. According to that provision, each authority has the responsibility and the power to ensure compliance on that territory with data protection rules, that is, it has jurisdiction to act. Obviously, this is different phraseology than that found in Article 4 but the Court did not address the question of what 'on the territory of its own Member State' means (which may not be clear in a digital context). Instead it held that where a complaint is referred to a national authority, it may investigate whatever the applicable law. As the Advocate General pointed out, the powers of intervention of the supervisory authority must be exercised in compliance with the territorial sovereignty of the other Member States and respect for the rule of law, with the result that a national authority cannot impose penalties outside the territory of its own State. In such a situation the authority should request the cooperation of the relevant national authority, as foreseen by Article 28, to ensure that the rules are enforced.
The upshot of this decision is that it is clear that there is no one-stop-regulation approach currently in effect. This means that a business with operations in more than one Member State may be subject to multiple interpretations of the data protection rules. In determining which and how many authorities have competence, the key question becomes that of 'establishment'. While the data subjects and their nationality are not relevant, the Court has not taken a formal legal approach. We can look at whether there are employees or a physical representation, but also business practice can be taken into account. It is significant that the Court notes the specificities of Internet businesses. Implicitly, if the business is reaching into the territory on an on-going basis, physical representation would be unnecessary to find 'establishment'.
This approach is re-affirmed by the Court's re-iteration of its stance in Google Spain with regard to the connection between the processing and the business. The Court is taking a broad view of whether such connection will arise; arguing points based on legal form will not help here. That could have consequences for companies such as Facebook which are currently clinging to the argument that they are regulated by Ireland to try to defend claims from authorities across the EU. On the basis of Weltimmo, that might not now be such a good argument. This expansive scope of applicable law may also mean that the situation in Article 28(6) will occur less frequently.
Looking more generally, the reasoning in Weltimmo suggests that the Court is sticking to its stance in Google Spain, emphasising the fundamental nature of privacy and data protection and the need to interpret legal concepts broadly to ensure an adequate protection for those rights. This trend has, of course, since been confirmed by the subsequent judgment in Schrems. It remains to be seen whether the judgment in Weltimmo has an impact upon the planned Regulation.
*This is based on a blog post previously published on the SCL Blog, and republished with kind permission
Photo credit: DC Comics; Meme: Steve Peers