The transnational nature of many modern commercial enterprises can create significant difficulties when it comes to the application of domestic data protection legislation within the EU. Questions can often arise as to whether the enterprise has the necessary territorial presence in order to enable the domestic legislation to apply. These questions can be particularly difficult to resolve where the enterprise in question comprises an online business which has ethereal tentacles stretching into multiple jurisdictions. Of course, we have now all just about got to grips with the interesting intellectual gymnastics embarked upon by the CJEU in Google Spain. Now the issue of the territorial application of data protection legislation has resurfaced in a case concerning a spat between a Slovakian company operating a property-dealing website (W) and various disgruntled Hungarians who sought to sell their properties through the site: Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság (Case 230/14).
You can read about the background to the Weltimmo case here. In short, the core question which arose in Weltimmo was whether the Hungarian Data Protection Authority (HDPA) had jurisdiction to fine W in circumstances where:
(a) W had its registered seat in Slovakia;
(b) one of W’s owners was a Hungarian living in Hungary who had legally represented W before the HDPA;
(c) W had received personal data from individuals in Hungary who wished to advertise their Hungarian properties on W’s website and
(d) W had apparently then gone onto misuse the personal data it had received.
The Hungarian Kúria court was unsure as to how to answer this question. This was because it was unclear as to the legal effects of two Articles of Directive 95/46/EC: Article 4 (concerning the territorial scope of domestic data protection laws) and Article 28 (concerning the role of the domestic supervisory authority). Accordingly, the court referred a number of questions to the CJEU, all of which were essentially focused on identifying the territorial reach of the domestic data protection laws and domestic supervisory authorities under the Directive (you can find the questions here). Advocate-General Cruz Villalón (yes he of Digital Ireland fame) has now given his opinion on these questions: see here. Rather frustratingly however, the opinion is not currently available in English. It is available in French and a host of other European languages (including for the multi-lingual amongst you Bulgarian and Czech). My admittedly rather untutored take on the French language version is that it contains the following key conclusions (see in particular paragraph 72):
– The effects of Articles 4 and 28 are that a supervisory authority in Member State X cannot assert jurisdiction over a data controller which is not ‘established’ in Member State X. Instead, that supervisory authority only has jurisdiction in respect of data controllers which are ‘established’ within its own territory (i.e. within Member State X).
– When considering the extent to which a data controller is ‘established’ in Member State X, the focus should be on the de facto, rather than the de jure, position. The crucial question is: from where, in a physical, logistical sense, does the data controller operate the business in question? Answering this question is likely to require a focus on where the business’ human and technical resources are located.
– The data controller may be established in a number of different Member States, provided that its operations in those Member States have the necessary quality of stability.
– Factors such as where the data has been downloaded, the nationality of the injured parties, the domicile of the owners of the company responsible for processing the data or the fact that the service provided is directed at the territory of another Member State are not directly relevant or decisive. They may however be indirectly relevant insofar as they may shed light on the question of where the data controller is established.
It remains to be seen whether the CJEU will follow the Advocate-General’s opinion. If it does, then that will reaffirm the essentially fragmented, patchwork nature of the protections afforded under the current Directive. Of course, if and when the draft General Data Protection Regulation becomes law, this patchwork of protections will give way to a more unified approach, as the era of the one-stop shop will be upon us.