Companies collecting personal data in other EU Member States are not safe of foreign jurisdiction anymore

20 October 2015

Dr. Bálint Halász, Ruth Boardman

On 1 October 2015, Court of Justice of the European Union has handed down its ruling in Weltimmo v. NAIH [the Hungarian Data Protection Authority] (C-230/14). The CJEU concluded that a company could not use its place of incorporation in one Member State as a way of avoiding the application of another Member State’s data protection law, when the company is also established in that other Member State and is processing personal data in the context of the activities of that other establishment.

The case emphasises that even minimal activity in a Member State may amount to establishment. It raises the possibility that use of a website targeting a particular Member State may be sufficient, by itself, as to mean that the data protection law of that Member State will apply.

The decision is likely to be welcomed by those data protection authorities who have expressed concern at the approach taken by some, often US technology, companies that personal data which they process about EU residents is only subject to the data protection law of the Member State where the legal entity which is the party to the Terms of Service with those users is incorporated.  

Background

The Hungarian Data Protection Authority (NAIH) imposed a fine of HUF 10,000,000 (approximately EUR 32,300) on Weltimmo s.r.o. for unauthorised data processing activities. Weltimmo is incorporated in Slovakia, with two Hungarian individuals as shareholders. Weltimmo had been operating an online real estate marketplace, under domain names ingatlanbazar.com and ingatlandepo.com. These websites received several complaints for allegedly misleading customers by initially offering free services, but invoicing high fees after the expiry of a trial period. Weltimmo allowed customers to opt out and to remove expired ads only once customers had paid their fee. Weltimmo also transferred customer data to external receivables management providers, without customer consent or notification.

In its 2012 enforcement decision,  NAIH concluded that Weltimmo had failed to comply with notification and purpose limitation requirements. It had also processed and transferred personal data with no legal basis. The NAIH imposed the maximum fine, on the basis that the controller had engaged in non-compliant data processing activities for several years and, during this period, certain Hungarian authorities, including the previous data protection commissioner’s office, then the NAIH and the Hungarian Competition Authority, had received numerous complaints from customers and competitors.  The controller had also failed to respond to NAIH’s enquiries. The NAIH also warned the controller that it may be entitled to impose multiple fines if it did not take remedial steps.

Weltimmo appealed  and the court set aside the decision and ordered NAIH conduct new proceedings. According to the court, the NAIH failed to explore the factual background of the case. The court also concluded that the data processing by Weltimmo is subject to Hungarian law as Weltimmo collected data in Hungary, via websites available in Hungarian,  and aimed at a Hungarian audience. The NAIH concluded new proceedings against Weltimmo and imposed a fine of HUF 8,500,000 (approx. EUR 27,500) on Weltimmo.Parallel to the repeated investigation, Weltimmo  filed an extraordinary appeal against the court's decision with the Curia (the Hungarian Supreme Court). Weltimmo argued that  the  court's conclusion on jurisdiction and applicable law was flawed -  as it is incorporated in Slovakia it should only be subject to Slovak law; the NAIH and Hungarian courts should not have jurisdiction.

The Curia referred the case to the CJEU and requested a preliminary ruling regarding jurisdiction and applicable law.

The questions referred to the CJEU

The Curia asked whether the EU Data Protection Directive (Directive 95/46) must be interpreted as permitting the NAIH to apply Hungarian data protection law  to a company  incorporated in Slovakia.

The Curia also asked  whether Weltimmo would have  an 'establishment' in Hungary, within the meaning of Article 4(1)(a) of Directive 95/46, as a result of its Hungarian-focussed website, representative, data subjects and shareholders.

Legal background

Article 4(1)(a) of Directive 95/46 provides that:

1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable’.

Recital 19 in the preamble to Directive 95/46 states the following:

(19) Whereas establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements; whereas the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor in this respect; whereas, when a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure, in order to avoid any circumvention of national rules, that each of the establishments fulfils the obligations imposed by the national law applicable to its activities;

The CJEU's ruling

On 1 October 2015, the CJEU ruled that, based on the factual background of the case, which is for the Curia to verify, Weltimmo is ‘established’  in Hungary within the meaning of Article 4(1)(a). Therefore, Hungarian law  applies to the activities of Weltimmo.

According to the CJEU the relevant factors were:

(a) Where a controller exercises a real and effective activity in one Member State and has stable arrangements there (even where this is quite minimal), and when personal data is processed in the context of that activity, Article 4(1)(a) of Directive 95/46 must be interpreted as permitting the application of the law of that Member State – notwithstanding that the  the relevant controller is incorporated in another Member State (Slovakia);

(b) In this case, the referring court may, in particular, take account of the fact:

(i) that the controller’s website is mainly or entirely directed at Hungary – as evidenced by the fact that it concerns properties situated in  Hungary  and is written in Hungarian) ; and

(ii) that that controller has a representative in Hungary, who is responsible for recovering  debts resulting from that activity (i.e. unpaid debts from property owners), who serves as a point of contact between the company and the advertisers who made complaints and who  represent the controller in the associated administrative and judicial proceedings;

(c) The issue of the nationality of the data subjects  is irrelevant.

The CJEU also noted that Weltimmo had opened a bank account in Hungary, intended for the recovery of its debts, and uses a letter box in Hungary for the management of its everyday business affairs.

On the other question, the CJEU ruled that a supervisory authority of a Member State, to which a complaint has been submitted, may examine that complaint irrespective of the applicable law and, consequently, even if the law applicable to the processing of the data concerned is that of another Member State. However, the authority cannot impose penalties outside the territory of its own Member State. Accordingly, in such a situation, it must request the supervisory authority of that other Member State to establish any infringement of that law and to impose penalties if that law permits, based, where necessary, on the information which the authority of the first Member State  has transmitted to the authority of that other Member State.

Building on Costeja

The ruling builds on the earlier ruling of the CJEU in the Google right to be forgotten case (C-131/12). According to the CJEU, the objective pursued by Directive 95/46 consists in ensuring effective and complete protection of the fundamental rights and freedoms of natural persons, and, in particular, their right to privacy. The words ‘in the context of the activities of an establishment’ in Article 4(1)(a) of Directive 95/46, cannot be interpreted restrictively. This also results in a broad concept of ‘establishment’, which departs from a formalistic approach, where undertakings are established solely in the place where they are incorporated.

In order to establish whether a  data controller has an establishment, within the meaning of Directive 95/46, the  stability of the arrangements and the effective exercise of activities must be interpreted in the light of the specific nature of the economic activities and  services concerned. This is particularly true for undertakings offering services exclusively over the Internet.

(a) The concept of establishment extends to any real and effective activity – even a minimal one – exercised through stable arrangements; and

(b) the presence of only one representative can, in some circumstances, amount to a stable arrangement if the representative acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State.

In the Google case, the CJEU adopted a broad approach to applicable law rules, so as to defeat Google’s arguments that it was not subject to EU data protection law at all. In Weltimmo the CJEU  determined that a similar broad approach is also relevant when there is no doubt that EU data protection law applies, but where the question is which Member State’s law will apply. A company cannot use its place of incorporation as a way of avoiding the application of the data protection law of another Member State – and the sanctioning powers of the data protection authority in that other Member State – if it has even a minimal establishment in that state and if its data processing is really carried out in the context of the activities of that other establishment.

As Weltimmo was seeking to use its place of incorporation as a way of avoiding data protection obligations, it is perhaps not surprising that the CJEU reached the conclusion it did.  The decision is likely to be welcomed by those data protection authorities who have expressed concern about the attempts by some – largely US online services and technology – companies to argue that the personal data they process about EU residents is solely processed in connection with the activities of those companies’ EU headquarters in Ireland.

However, the decision raises many difficult questions, especially for businesses which operate online. In particular, it is now unclear if setting up an online presence targeting a particular Member State will, by itself, mean a business is established in that Member State for data protection purposes, or if use of a local representative or bank account and PO box is also required. The court does not refer to these as cumulative conditions. There could, therefore, be an inference that a targeted website alone would be sufficient. If this is applied to data controllers with no physical presence, this would draw the ambit of EU data protection law very widely indeed, anticipating the territorial scope of the draft General Data Protection Regulation, and raising practical questions as to how EU data protection authorities will be able to enforce the law against such controllers. It may, however, be ill-advised to read the decision as literally as this and to draw such a wide conclusion from the very specific facts of this case.