EU’s Highest Court Rules on Applicable Law and Territorial Powers of the National Data Protection Authorities
On October 1st, 2015, the Court of Justice of the EU rendered its judgment in the Weltimmo case (C-230/14). The case addressed two important aspects of EU data protection law, namely applicable law and the scope of the territorial powers of data protection authorities.
The case arose out of a dispute between Weltimmo, a company registered in Slovakia, which operates property dealing websites concerning Hungarian properties, and the Hungarian data protection authority. Several advertisers lodged a complaint with the data protection authority, which imposed a fine on Weltimmo for a violation of the Hungarian Law on Information.
On applicable law
Article 4(1)(a) of the EU Data Protection Directive 95/46/EC provides that the national law of a Member State applies when personal data is processed in the context of activities of an establishment of a data controller in that Member State. According to the Court, this provision cannot be interpreted restrictively; rather, the EU legislature “… prescribed a particularly broad territorial scope of Directive 95/46/EC.”
The Court rejected a formalist approach “whereby undertakings are established solely in the place where they are registered”, but held that the concept of “establishment” must be interpreted in the light of the specific nature of the economic activities and the provision of the services concerned. The Court clarified that the presence of only one representative can, in some circumstances, suffice. Even a “minimal” real and effective activity (here the running of property dealing websites written in Hungarian with advertisements subject to a fee) exercised through stable arrangements in a Member State could suffice to trigger the ‘establishment’ test and render that Member State’s data protection law applicable. In the present case, the Court considered that having a representative in Hungary, who is responsible for recovering the debts resulting from the activity and who represented the controller in administrative and judicial proceedings, and having a bank account and a letter box in Hungary, would be sufficient to qualify as an activity exercised through stable arrangements.
The Court confirmed its findings from the Google Spain case (C-131/12) that Article 4 (1) (a) of Directive 95/46/EC does not require the processing of personal data in question to be carried out by the establishment concerned, but only processing ‘in the context of the activities’ of the establishment. In the present case, in the Court’s view, the fact that Weltimmo’s websites published personal data of the owners of the properties and in some cases use the data for invoicing purposes constituted processing in the context of the activities Weltimmo pursues in Hungary. The nationality of the persons concerned by such processing is irrelevant.
On the powers of the data protection authorities
The Court considered a scenario where a data protection authority received complaints about the activities of a controller which is not established on its own territory. In this case, the Court argued, the national data protection authority can nonetheless hear and investigate the complaint irrespective of the applicable data protection law. However, the data protection authority cannot enforce the applicable data protection law and impose sanctions against a controller that is not established in its jurisdiction. Rather, in such a case, the data protection authority would need to seek the cooperation of the data protection authority of the country in which the controller is established, which itself may carry out other investigations, on the instructions of the former supervisory authority.