EU court ruling outlines which countries' data protection laws apply to businesses with interests in multiple EU countries

Out-Law News | 02 Oct 2015 | 9:54 am | 4 min. read

Businesses with minimal but stable operations in an EU country are subject to the data protection regime of that country if they process personal data in the context of activities "mainly or entirely directed" towards that country, even if they are not based in that country, an EU court has ruled.

The Court of Justice of the EU (CJEU) said that if a business runs a website written in the language of an EU country and has a representative acting on its behalf in that country in activities relevant to personal data processing then that business can be held accountable for any breach of local data protection rules by the national data protection authority.

"[The EU's Data Protection Directive] ... must be interpreted as permitting the application of the law on the protection of personal data of a member state other than the member state in which the controller with respect to the processing of those data is registered, in so far as that controller exercises, through stable arrangements in the territory of that member state, a real and effective activity – even a minimal one – in the context of which that processing is carried out," the CJEU ruled.

"The presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the member state in question," it said.

The EU's Data Protection Directive states that where personal data processing is carried out by a data controller with an establishment in an EU country then the processing must adhere to the national data protection laws of that country. The Directive makes clear that organisations based in multiple EU countries must abide by each of the different data protection regimes with respect to their personal data processing in those countries.

Businesses that do not have an office in the EU can also fall subject to the Directive, however.

Where a data controller does not have an establishment in the EU but "makes use of equipment" in an EU country to process personal data then the national data protection laws of that EU country apply to that processing. This is unless the equipment is "used only for purposes of transit through" the EU.

The CJEU's judgment concerned the interpretation of the words "in the context of the activities of an establishment" as they are used in the Directive. In a previous case the Court had determined that these words "cannot be interpreted restrictively" but must be understood to have a broader meaning.

In its latest ruling, the CJEU said that "the concept of ‘establishment’, within the meaning of [the Directive], extends to any real and effective activity – even a minimal one – exercised through stable arrangements".

"In order to establish whether a company, the data controller, has an establishment … in a member state other than the member state or third country where it is registered, both the degree of stability of the arrangements and the effective exercise of activities in that other member state must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned," the CJEU said. "This is particularly true for undertakings offering services exclusively over the internet."

The CJEU was ruling in a case referred to it by a Hungarian court which asked for help in determining whether Hungary's data protection authority had the jurisdiction to impose a fine on a Slovakian-registered company, Weltimmo, for alleged breaches of Hungarian data protection laws.

Weltimmo operated a property website that allowed people to advertise the property for one month free of charge and then subsequently for a fee. According to the ruling, Weltimmo was fined €32,000 by Hungary's data protection authority after the company failed to delete adverts and personal data at advertisers' request. Weltimmo pursued advertisers that failed to pay for adverts that remained on the site through debt collection agencies, the ruling said.

Although Weltimmo was registered in Slovakia the company "did not carry out any activity" in the country, according to the CJEU's ruling. Weltimmo had moved its registered office from one EU country to another "on several occasions" and had developed two Hungarian-language websites for its property business.

The company also had a Hungarian bank account and letter box for "everyday business affairs" and had one representative working for it in Hungary. The person, who has a Hungarian address, "has sought to negotiate the settlement of the unpaid debts with the advertisers" and "served as a point of contact between that company and the data subjects who lodged complaints and represented the company in the administrative and judicial proceedings", the ruling said.

The CJEU said that it believes Weltimmo "pursues a real and effective activity in Hungary" by operating property dealing websites that advertise Hungarian properties and which are written in Hungarian and that there is "no doubt" that its processing of personal data "takes place in the context of the activities".

It said it is of the view, given the nature of Weltimmo's operations, that the company does have an 'establishment' in Hungary and is therefore subject to Hungary's data protection regime. However, it will be up to the Hungarian court to clarify whether the information regarding Weltimmo's operations in the country is correct and to come to its own decision about the matter.

The CJEU said that the nationality of data subjects whose data has been alleged processed in a way that is incompatible with data protection laws is "irrelevant" to determining whether those laws can be applied to companies responsible for that processing but based in another country.

The CJEU also clarified that national data protection authorities are entitled to conduct their own investigations into alleged breaches of data protection rules by companies based in other countries. However, it said that where those authorities find that those companies are governed by another EU country's data protection laws the authorities cannot issue sanctions against those organisations.

In those circumstances, however, the watchdog can liaise with its counterpart in the country in which the company is established to share its findings, with it then being up to that country's data protection authority to decide whether or not to take enforcement action, the CJEU said.