Mason Hayes & Curran unpacks the Weltimmo case – a European data protection case almost overlooked in the frenzy around Schrems and Safe Harbour.
In the whirlwind of attention that followed the invalidation of Safe Harbour, observers might be forgiven for missing another recent – and important – data protection judgment.
The judgment of the Court of Justice of the European Union (CJEU) in ‘Weltimmo’ (AKA Case C-230/14) was handed down shortly before the Schrems Safe Harbour ruling.
Weltimmo deals with two issues. First, the rules determining which national data protection law applies to an organisation that is operating in multiple EU member states; and second, the powers of national data protection authorities (DPAs) in such cases.
How did the Weltimmo case arise?
This decision concerned a property advertisement website run by Weltimmo. Weltimmo was a Slovakian company, but the website dealt with property situated in Hungary and was written in Hungarian.
Weltimmo had been fined by the Hungarian DPA for breaches of local law and went on to challenge the fine in the Hungarian courts.
The Hungarian courts referred questions to the CJEU, asking whether Hungarian law properly applied to Weltimmo, and if the Hungarian DPA had validly exercised its powers.
Which data protection law applies?
While the Data Protection Directive is a piece of EU law, each member state implements the directive in its own national law, resulting in some differences from state to state.
For organisations operating across borders, the challenge can be determining which national law applies to that organisation’s activities.
The Data Protection Directive sets out a test to determine which law applies in such cross-border scenarios. A key aspect of the relevant test is to determine whether the organisation is deemed to have an “establishment” in the country in question and in the context of the personal data that is processed.
In this case, the CJEU considered that Weltimmo was likely to have a relevant establishment in Hungary, on the basis that its data processing was in the context of “a real and effective activity” pursued in Hungary. Therefore, the CJEU found that Hungarian data protection law would likely apply to Weltimmo, subject to the Hungarian court determining certain factual issues.
Some of the relevant factors the court identified were:
- The website dealt with properties in Hungary and was written in Hungarian, meaning its operations were “mainly and entirely directed” at Hungary
- Weltimmo had a representative in Hungary, who was responsible for collecting debts and for representing the data controller in administrative and judicial proceedings relating to the data processing
- Weltimmo had a Hungarian bank account and post box
- Weltimmo did not carry out any activity in Slovakia.
What are the regulator’s powers?
The CJEU also looked at the powers of the national DPA in circumstances where a foreign data protection law applied to a company doing business within its territory. In other words, what could the Hungarian DPA do if Slovakian law applied?
The CJEU stated that a DPA could generally investigate complaints received from data subjects, regardless of the law governing the relevant organisation.
The CJEU also noted that where the organisation’s processing of data is governed by the law of one state – e.g. Slovakia – but is investigated by a regulator in another – e.g. Hungary – that regulator has no power to impose penalties outside its territory (i.e. outside Hungary).
In addition, a national DPA cannot impose penalties based on the data protection law of another state, nor may it establish infringements of foreign law.
What are the implications of the Weltimmo decision?
In some respects, this judgment follows in the footsteps of the Google Spain decision in lowering the threshold for a business to be considered “established” in a member state for data protection purposes.
However, the judgment also provides some helpful guidance as to how DPAs ought to exercise their often overlapping jurisdiction. The judgment makes clear that while DPAs are entitled to investigate complaints that they receive, they do not have jurisdiction to impose extraterritorial penalties or take action against a company that is subject to a foreign data protection law.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out www.mhc.ie for more.
Mária Valéria Bridge image by Kayo via Shutterstock