Who: Weltimmo s.r.o. and Nemzeti Adatvedelmi es Informacioszagadsag Hatosag (“NAIH”)
Where: European Court of Justice, Luxembourg (“ECJ”)
When: October 2015
Law stated as at: 1 October 2015
What happened: On a request from the Hungarian court, the ECJ recently considered the circumstances in which a data controller has to comply with the data protection laws of an EU member state (let’s call it “EMS A“) even though it is registered either in EMS B or a country outside the EEA, such as for example the USA.
The decision turned chiefly on whether the data processing in question could be said to be:
“carried out in the context of the activities of an establishment of that data controller in the territory [of EMS A ]”
(Article 4.1 (a) of EU Data Protection Directive 95/46/EC (“DPD”)).
In the case in question Weltimmo s.r.o.(“W“) ran a property dealing website (“Website”) concerning Hungarian properties but was registered in Slovakia.
There was confusion as to the location of the server that hosted the Website: the Hungarian court stated in two of its questions to the ECJ that the server was in Slovakia, but in the order of reference to the ECJ the possibility was mentioned that that W’s servers may be in Austria or Germany.
In the course of running the Website, W processed the personal data of advertisers wanting to sell property in Hungary. The ads were free for a month, after which a fee was payable. Many of the advertisers asked W to stop running the ads after the first month, but W failed to do this and when the advertisers didn’t pay up, W passed their personal data to debt collection agencies.
The advertisers complained to the Hungarian data protection authority (“HDPA“) that W’s processing of their personal data was a breach of Hungarian data protection law and the HDPA fined W €32,000. W appealed, arguing that the HDPA was not competent in the case and could not apply Hungarian data protection law.
Appellant argues that only the Slovak data protection authority was competent
Under Article 28 (6) of the DPD, W argued, the HDPA should have referred the matter to the DPA of Slovakia.
Article 28 (6) of the DPD provides that whatever the national data protection applicable, a national DPA can take action in respect of data processing carried out in their territory.
The ECJ disagreed with W.
The Appeal judges held that particularly in the case of undertakings offering services exclusively over the internet, the concept of “establishment” must be interpreted flexibly.
It reminded us that in the case of Google Spain and Google (C-131/12) it was held that for the law of EMS A to apply, the processing in question had to be carried out not “by” the establishment concerned itself in EMS A, but only “in the context of the activities” of the establishment in EMS A.
First consider “establishment” location then “context” of processing
The correct approach, the court said, was to first of all establish whether the data controller had an establishment in Hungary and then to consider whether the personal data processing in issue was occurring in the context of that establishment.
The ECJ said that in considering the first question, both the “degree of stability” of its arrangements in EMS A and the “effective exercise of activities” in EMS A should be interpreted in light of the “specific nature of the economic activities and the provision of services concerned.”
In this case, the ECJ held that since the Website promoted property in Hungary and was written in Hungarian, it must be held that W pursued a real and effective activity in Hungary.
The evidence also showed W’s effective exercise of its activities in Hungary in a manner which had a considerable degree of stability.
W had a representative in Hungary who was mentioned in W’s Slovak registration details and who also acted as a point of contact between W and the individuals who took action against W in the Hungarian courts. W had also opened a bank account in Hungary and used a letter box in Hungary for the management of its everyday business affairs.
These factors were all capable of establishing the existence of an “establishment” in Hungary, the court held.
The second stage of the process was to determine whether the processing of personal data in question was carried out “in the context of that establishment.”
Here the relevant processing included the publication on the Website of personal data relating to owners of property situated in Hungary, the use of this data in order to send invoices after the first month and the loading of personal data onto the Website.
The ECJ held that there was “no doubt” that this processing took place “in the context” of the activities pursued by W in Hungary.
Nationality of data subjects not relevant
The ECJ also made it clear that the fact that the property owners themselves were resident in Hungary was “of no relevance whatsoever” for the purposes of determining the national law applicable to the processing in issue.
Finally the ECJ held that if the HDPA had determined that Slovak data protection law applied, the effect of Article 28 (6) and also Articles 28 (1) and (3) of the DPD was that although the HDPA could investigate the data processing in question as it occurred in Hungary, as W was registered and established in Slovakia, it would have had to pass the matter to the Slovak DPA to take enforcement action.
Why this matters:
This decision confirms and expands on the flexible approach to the concepts of “establishment” and “context” laid down in the Google Spain case.
Three aspects of the judgment are particularly noteworthy.
First of all the court specifically confirms the applicability of these principles to data controllers registered outside the EEA as well as those registered in another EMS.
Secondly the ECJ underlines that the nationality of the data subjects involved is not a relevant consideration when considering whether personal data processing is being carried out in the context of activities of an establishment of the data controller on the territory of a particular EMS.
Thirdly, although this is not spelt out in the judgment, the decision appears to indicate that where the data controller’s business platform is a website, the geographical location of the server that hosts it is not of itself going to be determinative of which national data protection law applies.