Which U.S. Businesses Must Comply with EU Data Protection laws?

What the recent Amazon decision tells us

On 28 July 2016, the European Court of Justice rendered a decision in a dispute between an Austrian Consumer Protection organization known as VKI (Verein für Konsumenteninformation) and Amazon EU Sàrl, a subsidiary of Amazon registered in Luxembourg. The main issue in this case is whether Amazon General Conditions were enforceable under Consumer Law; however; one of the questions referred to the European Court was about the territorial scope (Article 4) of the 95/46/EC Directive on Data Protection.

Article 4 reads as follows:

National law applicable

Each member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;


(c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.”

 Do European Data Protection rules apply at all?

  1.   Is the company “established” in the EU?

The first step is to determine whether a company has an establishment in the EU; this concept is interpreted broadly. According to paragraph 19 of the Preamble “establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements; … the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor…”

In the Google Spain case, the “right to be forgotten” case, two entities were parties to the action, the U.S. parent (Google Inc.) and its Spanish subsidiary (Google Spain). Google Inc. argued that it did not have any establishment in the EU and Google Spain argued that its activities were not to collect data, but to sell advertising space.  The European Court held that Google Spain had to be regarded as an establishment of Google Inc. because the sale of advertising space was closely connected to the search engine, it made it profitable and was directed at persons residing in Spain.

2.  Are the data processing activities conducted “in the context of the activities” of that establishment?

Once it is determined that a data processor has an establishment in the EU, the second step is to determine whether the data processing activities are conducted “in the context of the activities” of that establishment. It is not necessary that the data processing should be conducted by the European establishment. This was made very clear in the Google case:  the Court found that the activities conducted by Google Inc. and Google Spain were different, but still closely enough connected:  one could consider that the activities of the U.S. search engine were conducted in the context of those conducted by Google Spain.

Which one of the various national Data Protection laws applies?

Once it is determined that European Data Protection rules apply, the question becomes more precisely: which national Data Protection law applies? This is important because although the purpose of the 95/46/EC Directive was to harmonize national laws, significant differences still remain.  This issue was dealt with in the Weltimmo case. Weltimmo was a company registered in Slovakia, but it operated a website in Hungarian language with adverts for real property for sale located in Hungary. The service was free for one month, but after this period the advertisers had to take the initiative of removing the ad or be charged for the service. Clients who had been sued for payment filed a complaint with the Hungarian Data Protection Authority, which took the view that Hungarian law applied, that it had been violated and issued a fine. Weltimmo raised as a defense that it was a Slovak company, not subject to the jurisdiction of the Hungarian Data Protection Authority. The European Court said that it was for the national court to assess whether Weltimmo was established in Hungary, but noted that the website was in the Hungarian language only, that it was directed at the Hungarian market exclusively, that it had appointed a representative in Hungary and that these were all relevant factors to be taken into consideration.

The recent Amazon v/ VKI case is similar to the Weltimmo case:  Amazon did not argue that European rules did not apply.  The party to the action was Amazon EU Sàrl, a subsidiary registered in Luxembourg, but the activities at stake were those conducted through the website www.amazon.de, which targets German as well as Austrian customers. An Austrian Consumers Protection Organization had challenged Amazon General Terms and Conditions and brought an action for an injunction to prohibit the use of those Terms and Conditions which it considered contrary to Austrian law. Some of these clauses related to personal data and said, for example, that Amazon would share the information collected with third parties to check the creditworthiness and address of clients. One ancillary question was which national Data Protection law applied to check whether these clauses were legal. Was it the law of the country of Amazon’s establishment only or also that of the country that was targeted, namely Austria?

The Court answered that the law of the country that is targeted is only relevant if there is an establishment in that country which processes the data. “Establishment” therefore remains the key concept for the time being.

In practice, the rules set out in Article 4 of the Directive can be summarized as follows: U.S. businesses which do not have any establishment in the EU (i.e., which do not have any branch or subsidiary or other “stable arrangements” in the EU) do not have to comply with EU Data Protection law, provided that they do not use servers or other equipment in the EU.  This will change, however, on 25 May 2018 when the General Data Protection Regulation comes into effect since the Regulation will also apply to non-EU established controllers and processors who target individuals “who are in the Union” for the purposes of offering goods or services to such individuals or monitoring their behavior.

Leave a Reply

Your email address will not be published. Required fields are marked *