On 1 October, the Court of Justice of the European Union (CJEU) handed down its judgement in the Weltimmo case (Case C‑230/14), a decision which could have important ramifications for the data protection obligations of companies operating across multiple EU member states. The CJEU effectively held that where a company has a representative in a country and operates services directed at that country, the company can be held accountable by that country’s data protection authority despite not being formally established in that country.
Weltimmo, the company at the centre of the dispute was registered in Slovakia and ran a property dealing website concerning Hungarian properties. Weltimmo was the subject of a complaint to the Hungarian data protection authority (DPA) in relation to its decision to forward the personal data of advertisers to debt collection agencies. The Hungarian DPA declared that it was competent to adjudicate on the complaint under Hungarian national data protection law and imposed a fine on Weltimmo of approximately €32 000.
Weltimmo brought an action before the Budapest administrative and labour court, which held that the fact that that company did not have a registered office or branch in Hungary was not a valid argument in defence because the processing of data had taken place in Hungary.
Weltimmo appealed on a point of law to the referring court, claiming that pursuant to Article 4(1)(a) of Directive 95/46, the Hungarian DPA was not competent and could not apply Hungarian law in respect of a supplier of services established in another Member State. Weltimmo maintained that, under Article 28(6) of Directive 95/46 that authority should have asked the Slovak data protection authority to act in its place.
Article 4(1)(a) of Directive 95/46 (the Directive) provides that member states shall apply national law where the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State. The Hungarian court referred six questions which the CJEU distilled into one key question – what is covered by the concept of "establishment" under Article 4 of the Directive?
The concept of "Establishment"
The CJEU held that the words ‘in the context of the activities of an establishment’ in Article 4 cannot be interpreted restrictively. The objective of the Directive is the effective and complete protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data. Furthermore, the definition of an establishment must be flexible and the CJEU rejected a formalistic approach whereby undertakings are established solely in the place where they are registered.
The CJEU cited Recital 19 of the Directive which states that;
Whereas establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements; whereas the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor in this respect; whereas, when a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure, in order to avoid any circumvention of national rules, that each of the establishments fulfils the obligations imposed by the national law applicable to its activities;
The CJEU held that the concept of establishment would extend to any real and effective activity exercised through stable arrangements even where this real and effective activity was a minimal activity. These requirements (of a real and effective activity and a stable arrangement) must be interpreted in the light of the specific nature of the economic activities in question. The CJEU stated that this was particularly true for undertakings offering services exclusively over the Internet.
Stable Arrangements and a Real and Effective Activity
The CJEU held that as the company was running a property dealing website in Hungary, concerning properties situated in Hungary and written in Hungarian, it must therefore be held that that company pursues a real and effective activity in Hungary.
In terms of what constitutes a "stable arrangement", the CJEU held that the presence of only one representative could, in some circumstances, suffice to constitute a stable arrangement "if that representative acted with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State in question".
The representative of Weltimmo was an individual, mentioned in the Slovak companies register with an address in Hungary who had served as a point of contact between that company and the data subjects who lodged complaints and had represented the company in the judicial proceedings. In addition Weltimmo had opened a bank account in Hungary intended for the recovery of its debts, and used a letter box for the management of its everyday business affairs.
The CJEU found that Article 4(1)(a) of the Directive would permit, in a situation such as that at issue in the main proceedings, the application of the Hungarian law on the protection of personal data. Furthermore, there was no doubt that the processing in question took place in the context of the activities which Weltimmo pursued in Hungary.
The applicable Powers of the relevant Data Protection Authority
Article 28(1) of the Directive mandates each member state to provide for a public authority responsible for monitoring compliance with data protection law. The second important finding of the CJEU in Weltimmo concerned the applicable powers of the relevant data protection authority.
Article 28(3) of the Directive provides a non-exhaustive list of powers including investigative powers, powers of intervention and the power to engage in legal proceedings. Article 28(6) of the Directive provides that;
Each supervisory authority is competent, whatever the national law applicable to the processing in question, to exercise, on the territory of its own Member State, the powers conferred on it in accordance with paragraph 3. Each authority may be requested to exercise its powers by an authority of another Member State.
The supervisory authorities shall cooperate with one another to the extent necessary for the performance of their duties, in particular by exchanging all useful information.’
The seventh question referred by the Hungarian court concerned the extent of the Hungarian DPA’s powers in a situation where the applicable law was not Hungarian but the law of another member state.
The CJEU Decision on applicable powers
The CJEU held that the powers listed in Article 28(3) were non-exhaustive and could include the power to impose a fine. Looking at Article 28(6), the CJEU held that where a complaint is submitted to a DPA, that DPA can exercise its investigative powers irrespective of the applicable law and before even knowing which national law is applicable. However, where the DPA reaches the conclusion that the law of another Member State is applicable, it cannot impose penalties outside the territory of its own Member State. In such a situation, it must, in fulfilment of the duty of cooperation laid down in Article 28(6), request the supervisory authority of that other Member State to establish an infringement and to impose penalties if that law permits, based, where necessary, on the information which the authority of the first Member State has transmitted to the authority of that other Member State.
The effect of the CJEU’s decision in Weltimmo is that where a Data Controller exercises a real and effective activity, even a minimal one, through stable arrangements in the territory of a Member State, and processes data in the context of these activities, that controller can be subject to the laws of that member state even where it is registered in a different member state. This decision has important consequences for companies operating across multiple EU jurisdictions.
Article 4 of the Directive provides that once a company is "established" in a member state it must ensure that each establishment complies with the obligations laid down by the applicable national law. Any broadening of the concept of an establishment could subject companies operating across the EU to the obligations of different data protection regimes.
In terms of the requirement of a stable arrangement, the CJEU has held that a single individual acting with a sufficient degree of stability through the presence of necessary equipment could be sufficient. It is interesting to note that the equipment in the case of Weltimmo seemed to be a bank account and a letter box as the CJEU observed that the location of the servers was not established.
The CJEU decision on the meaning of the concept of an establishment will continue to be of relevance once the new Data Protection Regulation comes into force. Under the latest draft, the concept of an "establishment" remains the catalyst for the territorial application of data protection law in a member state of the EU. However the effect of Weltimmo may be tempered by the application of the one stop shop mechanism which introduces the concept of a controllers "main establishment" and aims to facilitate large companies with presences in many member states to deal only with a single data protection authority.
Trilogue negotiations between the Council, the European Parliament and the EU Commission recently began with the aim of reaching a final agreement on the proposed EU Data Protection Regulation by the end of 2015.