While the Schrems decision invalidating the US-EU Safe Harbor Program is rightly attracting a great deal of attention (as well as blogging and webinars) – and leaving many wondering what to do in the absence of the US-EU Safe Harbor System – companies doing business in the EU need also to consider the impact of another recent decision, reached just days before Schrems. In Case c-230/14, Weltimmo s. r. o. v. Nemzeti Adatvédelmi és Információszabadság Hatóság (Weltimmo v. Hungarian Data Protection Authority), the European Court of Justice considered how the EU Data Protection Directive applies to companies operating across multiple jurisdictions and, in particular, what it means for a company to be “established” within a particular jurisdiction.
“Establishment” matters because a company is bound by the data protection laws of any and all member states in which it is “established,” and these laws are not uniform. The Directive creates a Union-wide objective of data protection, but leaves implementation to member states. (A directive, in EU parlance, differs from a regulation, which is a binding, uniform requirement applicable to all member states.) What constituted “establishment” was unclear prior to Weltimmo, but was often thought to mean where an entity was physically headquartered.
In Weltimmo, however, the Court took a much more expansive view of “establishment.” This is not surprising, because the Directive itself defines “establishment” broadly: “the effective and real exercise of activity through stable arrangements […] the legal form of such an establishment, whether branch or subsidiary within a legal personality, is not the determining factor in this respect.” The Court noted that this “departs from a formalistic approach whereby undertakings are established solely in the place where they are registered,” and allowed that an entity may be “established” in a state where it “exercises, through stable arrangements in the territory of that Member State, a real and effective activity – even a minimal one – in the context of which [data] processing is carried out.” (“Processing” is likewise defined broadly by the Directive.)
The decision is hardly model guidance for companies, leaving them (and their lawyers) to puzzle out what “stable arrangements” and “real and effective activity” mean. Some lessons can be drawn from what the Court says about the actual facts of the case; the Court found it important that the website in question was “written in [the] Member state’s language,” concerned advertisements of “properties situated in the territory of [the] Member State,” and was “mainly or entirely directed at [the] Member State.” In any event, Weltimmo should cause companies to think about whether the laws of more than one member state may apply to their activities.
These same companies should also monitor the ongoing negotiations about the General Data Protection Regulation, which is expected to be adopted early next year. How exactly the principles laid down in the Weltimmo decision may interact with the Regulation is difficult to foresee, because the text is still under negotiation, but the Regulation may result in more consistent standards across multiple jurisdictions.