The ECJ has delivered a judgment which could have a significant impact on how pan-European businesses approach their data protection strategy. This judgment may impose new rules of compliance on companies that have an internet presence across the European Union.
The case revolved around Article 4(1)(a) of the EU Data Protection Directive 95/46/EC, as to what constitutes a company’s “establishment” in a country. Article 4 provides that the national law of a Member State will apply when personal data is processed in the context of activities of an establishment of a data controller in that Member State.
Weltimmo, the data controller, was incorporated and registered in Slovakia. It operated a property website in Hungarian and had a representative and address in Hungary but was not itself incorporated in Hungary. Weltimmo accepted it was governed by the data protection laws of Slovakia but contended that the data protection laws of Hungary did not apply to it as it was not registered in Hungary and therefore was not established.
As a result of 63 complaints by the advertisers, Weltimmo was fined approximately €32,000 by the Hungarian data protection authority. Weltimmo then brought an action in the Hungarian courts arguing that by virtue of Article 4 of the Data Protection Directive (95/46/EC), it was subject to Slovakian rather than Hungarian data protection law. The Hungarian Supreme Court referred the case to the ECJ which has issued a fundamental ruling.
The ECJ found that by operating websites that advertise local properties in Hungarian, there was no doubt that this constituted “real and effective activity” in Hungary. Furthermore, the fact that Weltimmo had a representative in Hungary (with a bank account), who was responsible for recovering the debts resulting from the aforementioned activity, was enough to constitute an “establishment” under the Directive. As such, the Hungarian Authorities were well within their rights to impose the fine on the Slovakian-registered company.
This conclusion is not the first of its kind. In the case of Google Spain (2014), the court decided that where a company markets to Spanish users in Spanish, then Spain will have jurisdiction.
The broad interpretation of Article 4 of the Directive could result in the application of numerous national laws on companies who have a presence in each jurisdiction. Whilst decisions such as this will depend very much on the facts in question, it is clear that companies who have adopted a pan-European business structure may need to revisit their privacy strategy. Such companies would have to comply with multiple EU data protection laws, each having particular variations which would need to be considered.
In practice, if the new draft EU Data Protection Regulation comes into effect in its current form then the position will be reflected under the new draft Regulation as well.
If you would like to discuss any of the above, please do not hesitate to get in touch with your usual Stevens & Bolton contact or email firstname.lastname@example.org