The CJEU provides clarification on the applicable law and jurisdiction for data protection.

Lorna Woods, Professor of Internet Law, University of Essex*

The Court of Justice of the European Union (CJEU) recently issued a decision in the Weltimmo case regarding the jurisdictional reach of data protection authorities. The court ruled that the authority of one Member State can exercise jurisdiction over entities primarily operating outside of that state’s borders. This ruling could impact two important issues being considered for the proposed data protection regulation: the regulation’s territorial scope and the authority of national data protection bodies. In particular, it raises questions about the viability of a “one-stop shop” approach to regulation.

**Facts **

Weltimmo, a company incorporated in Slovakia, operates a website that advertises properties in Hungary. For this service, it collects and manages the personal data of property advertisers. Numerous advertisers requested, via email, the removal of their advertisements and personal data, but Weltimmo failed to delete the data and continued to bill them. When payment wasn’t received, Weltimmo transferred the advertisers’ personal information to debt collection firms.  Consequently, the advertisers filed complaints with the Hungarian data protection authority. 

Weltimmo contended that the Hungarian authority lacked jurisdiction and should have instead referred the matter to the Slovakian data protection authority. However, the Hungarian authority cited Article 4 of the Data Protection Directive, which states that each Member State must apply its national data protection laws to data processing activities carried out “in the context of the activities of an establishment of the controller on the territory of the Member State.”

Therefore, the issue became determining where Weltimmo was established. Regardless of the applicable law, the Hungarian authority believed it held jurisdiction under Article 28 of the Directive, which addresses the role and authority of national data protection bodies. These points of interpretation were then referred to the CJEU.

Judgment

The CJEU’s judgment generally aligns with the Advocate General’s opinion. The court concluded that the national law applicable to the controller (Weltimmo) must be assessed considering Article 4, while Article 28 addresses the roles and powers of national authorities. Thus, the central issue was whether the data processing occurred “in the context of the activities of an establishment.” To ensure the protection of fundamental rights, the court decided this concept should be broadly interpreted.

The court drew upon the Advocate General’s perspective, highlighting that “establishment” should be understood as a broad and flexible concept that considers more than just the controller’s place of registration. The court emphasized that “establishment” encompasses any genuine and effective business activity, even a minimal one, conducted through a stable arrangement. Notably, the presence of even a single representative can be sufficient depending on the circumstances.

Applying this reasoning, the court determined that Weltimmo was indeed established in Hungary. They had a representative, a bank account, and contact details in the country. Additionally, the court recognized that Weltimmo was engaged in a real and effective business activity within Hungary.

After establishing the presence of an establishment, the next question was whether the data processing was connected to the activities conducted through that establishment. The court, again referencing its Google Spain decision, clarified that the processing doesn’t need to be “by” the establishment, but rather “in the context of” the activities carried out through it. The court found this condition satisfied in this case.

Significantly, the court decided that the nationality of the individuals whose data was processed was not relevant in this context. The analysis focused on the data controller, not the data subjects. This reasoning implies that Hungarian law could apply, but the CJEU left the final determination of facts to the national court.

Furthermore, the court stated that if the law of another Member State were to apply, Article 28 of the Directive would be relevant. This provision grants each national data protection authority the responsibility and authority to ensure compliance with data protection regulations within their territory. While the wording differs from Article 4, the court didn’t elaborate on what “on the territory of its own Member State” precisely means within a digital framework. Instead, the CJEU held that a national authority could investigate a complaint, regardless of the applicable law.

As noted by the Advocate General, the data protection authority’s enforcement powers must be exercised while respecting the territorial sovereignty of other Member States and the rule of law. Consequently, a national authority cannot impose penalties outside its own territory. In such situations, the authority should seek cooperation from the relevant national authority, as outlined in Article 28, to ensure enforcement.

Comment

This ruling clarifies that a one-stop-regulation approach is not currently in effect. Consequently, businesses with operations in several Member States might face varying interpretations of data protection rules. Determining which and how many authorities have jurisdiction hinges on the definition of “establishment.” While the data subjects’ nationality isn’t a factor, the court chose not to take a strictly legalistic approach.

While considering elements such as employees or physical presence, business practices also come into play. Significantly, the court acknowledged the distinctive nature of internet-based enterprises. This implies that if a business consistently operates within a territory, a physical presence might not be required to establish “establishment.”

The court’s reaffirmation of its position in the Google Spain case, regarding the connection between data processing and the business, underscores this approach. The court adopts a broad view of how such a connection might arise, suggesting that arguments based on legal technicalities are unlikely to succeed. This could have significant implications for companies like Facebook, which have relied on the argument that being regulated in Ireland shields them from claims by authorities from other EU countries. However, the Weltimmo ruling weakens this argument. This expansive interpretation of applicable law might also reduce the frequency of situations covered by Article 28(6).

More generally, the reasoning in the Weltimmo case suggests the court is maintaining its stance in the Google Spain case, emphasizing the fundamental importance of privacy and data protection. It highlights the need to interpret legal concepts broadly to ensure adequate protection for these rights. Of course, this trend was later confirmed in the Schrems judgment. It remains to be seen how the Weltimmo ruling will influence the planned data protection regulation.

*This is based on a blog post previously published on the SCL Blog, and republished with kind permission

Photo credit: DC Comics; Meme: Steve Peers

Licensed under CC BY-NC-SA 4.0