Data Privacy & Security

Weltimmo - Time To Assess Your EU Data Protection Strategy

One question multinationals operating across multiple EU jurisdictions frequently grapple with is which of the various national data protection laws they need to comply with.  Naturally, they strive to structure their operations so that they only have to comply with the fewest number of laws and regulatory requirements – ideally just one.  A strategy frequently used by multinationals operating across numerous EU jurisdictions to reduce the compliance burden is to publicly appoint one EU based entity as the data controller.  This strategy will need to be reconsidered and adapted in light of the Weltimmo judgement handed down by the CJEU on 1 October 2015.

The Question Referred To The CJEU

The CJEU was asked by the Hungarian Supreme Court to make a preliminary ruling on which national member state law applied to the data processing in question.  To answer this question, the CJEU had to clarify the meaning of 'establishment' in Art.4 of the Data Protection Directive triggering the application of national member state law.  In particular, it had to decide whether Weltimmo, a company registered in Slovakia, without any formal undertakings in Hungary, was nonetheless carrying out data processing activities 'in the context of an establishment' on Hungarian soil.  For a summary of the underlying facts and dispute, please see the English version of our Hungarian client alert on the decision in our November LegalBytes edition.

The CJEU’s Ruling

The CJEU ruled that the concept of establishment must be interpreted broadly to extend to any real and effective activity, even a minimal one, exercised through stable arrangements.  It rejected a formalistic approach whereby undertakings are established solely in the place where they are registered.  Rather, in order to determine whether a data controller has an 'establishment' in a member state, other than the member state or third country where it is registered, both the degree of stability of the arrangements and the effective exercise of activities in that other member state must be considered.  And they must be interpreted in the light of the specific nature of the relevant economic activities and provision of services. 

In Weltimmo, the following factors triggered the application of Hungarian data protection law:

  • a website written in local language targeting Hungary;
  • a representative permanently present in Hungary for debt collection and administrative/ judicial proceedings; and
  • a letter box and a bank account in Hungary.

Notably, the fact that the website users were Hungarian citizens was considered irrelevant and the CJEU stated that in certain instances, the appointment of a local representative alone can suffice for there to be 'stable arrangements' which trigger the applicability of EU national law. 

What Now?

Businesses carrying out activities, even minimal ones, in more than one EU member state, are potentially required to comply with the national privacy laws of each such member state (regardless of whether or not they are headquartered in the EU).  Those businesses (particularly online businesses) currently taking the view that they need only comply with the data protection law of one EU member state, because they are registered in that member state or because they have publicly appointed an entity in that member state as their data controller for the EU, will need to reassess and potentially revise their EU privacy strategy. 

This is not to say the Weltimmo judgement is without its challenges. The court's approach is, arguably, at odds with the digital single market idea.  In applying the court's decision, certain scenarios will not be clear-cut. Some arrangements would need to be carefully considered on their own facts.  For example, Weltimmo did not carry out any activity in Slovakia where it was registered and had, on several occasions, moved its registered office between member states.  These facts, no doubt, played a crucial part in the decision.  Overall, care should be taken to ensure any EU data protection strategy does not serve (or is not seen to serve) the purpose of circumventing national privacy laws or protections for individuals. 

Contributor - Anna von Dietz