In a recent decision, the Court of Justice of the European Union (ECJ) determines how the term “establishment” used in the EU Data Protection Directive 95/46/EC must be interpreted and thereby on the applicability of national data protection law in cases with a cross-border context (I.) as well as on the power of national data protection authorities in this regard (II.).[1] This has practical implications (III.).
I. The term “establishment” in the EU Data Protection Directive 95/46/EC and its consequences on the applicable national data protection law
On October 1, 2015, the ECJ has issued a decision on the question which national data protection law shall be applicable within the European Union if the operator of a website offers cross-border services in the EU market. The decision softens the country of origin principle which basically stipulates that the national data protection law of that country in which the data controller is located applies. Art. 4 para 1 (a) of the EU Data Protection Directive stipulates that the national data protection law of an EU country shall apply if the processing is carried out in the context of the activities of an establishment of the data controller on the territory of such EU country. According to recital 19 of the EU Data Protection Directive, an establishment of a controller requires an effective and real exercise of an activity through stable arrangements. The ECJ has now broadened the interpretation of the term “establishment” under the EU Data Protection Directive which results in a restriction of the country of origin principle.
Background:
In May 2014, the ECJ decided that an affiliate of a US search engine operator located in Spain qualifies as an establishment in terms of the EU Data Protection Directive, although personal data was only processed by the US parent company.[2] The Spanish affiliate qualified as establishment because it provided advertising services to fund the parent company’s services in Spain, thereby triggering the application of Spanish data protection law. This decision by the ECJ seems to say that it is no longer necessary for an establishment of a non-European data controller to be involved effectively and directly in the data processing activities in order to lead to the application of EU data protection law. The recent judgment of the ECJ now concerned the question of applicable data protection law in a pure EU context. In the recent proceeding, the ECJ states that an establishment can be assumed in a Member State even if the effective and real exercise of activity is very limited. The ECJ specifies this and mentions some criteria which can be decisive for the presence of an establishment in a Member State triggering the application of that Member State’s data protection law. Such criteria can be broken down as follows:
- The activity consists of the operation of a website which serves the purpose of brokering third party offers (in this case real estate offers) to customers in Member State A. The operator of the website is located in Member State B.
- The real estate offers are also situated on the territory of Member State A.
- The website is available in the language of Member State A.
- The company operating the website has a representative in Member State A who acts in Member State A with a sufficient degree of stability. In the case at hand, the representative was responsible to collect payments from customers located in Member State A who were using the website services. The representative interacted directly with such customers on the territory of Member State A. He also represented the company operating the website in any administrative and judicial proceedings in Member State A.
The concrete meaning of “a sufficient degree of stability” remains unclear. In the underlying case, the representative was also a co-owner of the company operating the website and was a citizen and resident of Member State A. However, the ECJ did not rely on these circumstances for the interpretation of the term “establishment”.
II. Power of national data protection authorities
The ECJ further discussed the power of national data protection authorities in a cross-border context: An affected data subject may contact any data protection authority in every Member State, even if the data protection law of another Member State is actually competent pursuant to Art. 28 para 4 of EU Data Protection Directive; however, the power of the data protection authority contacted by the data subject is limited if another data protection authority is actually competent. The data protection authority that has been contacted by the data subject (but which is not the competent data protection authority) may, for example, examine the complaint. However, it is not empowered to impose any sanctions on a data controller located in another Member State. In this case, the contacted data protection authority may reach out to the competent data protection authority and may propose sanctions to be imposed by the competent authority in the course of cooperation. In the end, the duty of identifying and sanctioning any violations of data protection law remains with the competent data protection authority.
III. Practical consequences
This judgment is particularly relevant for operators of websites and other online service providers who have engaged a representative acting on behalf of the service provider in a Member State that is different to the one in which the service provider has its head quarter or subsidiaries. Even if the activity in a Member State is very limited, there is a risk that this may qualify as an establishment under the EU Data Protection Directive triggering the application of national data protection law. Such service providers should examine in which Member States such activities may exist and whether national data protection law has been taken into account. Otherwise, sanctions may be imposed by the competent data protection authority. This risk actually increases due to the fact that the affected data subject may bring a claim to any data protection authority which may then cooperate with the actual competent data protection authority to impose sanctions. Furthermore, service providers targeting German consumers should keep in mind that recent case law in Germany limited the country of origin principle even further: If the service provider requires the data subject to consent to the privacy policy as a whole, this may trigger the application of the German law on standard terms. Pursuant to the German law on standard terms, German courts have then assessed whether a privacy policy (which is, from a data protection law perspective, not subject to German data protection law because there is no establishment in Germany) deviates from any statutory rules and provisions, including the requirements under the German Federal Data Protection Act. Thereby, the courts apply German data protection law indirectly through the back door of the German law on standard terms. The applicability of German data protection law could be avoided by separating the privacy policy from any terms and conditions and by not requiring the customer to consent to the privacy policy as a whole.
[1] ECJ judgement on October 1st 2015, Az.: C-230/14, available online on: http://curia.europa.eu/juris/document/document.jsf?text=&docid=168944&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=151463
[2] ECJ judgement on May 13th 2014, Az.: C-131/12, available online on: http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=363326