In all of the excitement surrounding the Schrems decision and its impact on Safe Harbor, it would be easy to miss the significance of the other decision of the Court of Justice of the European Union ("CJEU") in Weltimmo - issued just days before the judgement in Schrems. Yet the Weltimmo judgement, in its own way, has the potential to significantly impact the way in which global organisations should be thinking about their data protection strategy in Europe.
In Weltimmo, the CJEU came to a number of game-changing conclusions in relation to the applicability of EU data protection law. In essence, the judgement opens the doors for individuals to beat a path to the door of their local DPA to complain about data protection law breaches, even if the organisations about which they are complaining claim to be established in another EU Member State.
Under the EU Data Protection Directive, if a business is 'established' in an EU Member State and is processing personal data in the context of that establishment, it will fall within the scope of the data protection law of that Member State. Up to now, businesses have interpreted this rule to mean that if they are headquartered in a particular EU Member State, they have to comply with the data protection laws of only that Member State. Many US multinationals have taken the approach of incorporating an entity in particular Member State (e.g. Ireland) and nominating this entity as the data controller for the purposes of EU data protection law.
My colleague Tim Van Canneyt has previously discussed how the nomination of a single data controller is under fire – see here. The decision in Weltimmo puts beyond doubt that companies should be re-thinking this strategy.
So what does the Weltimmo decision say? Key points are:
- The concept of establishment must be interpreted broadly;
- Currently, there is no 'one-stop-shop' principle – if a data controller is established on the territory of more than one Member State, each of the establishments must comply with applicable data protection law;
- The legal form of such establishment (e.g. branch, subsidiary etc) is not the determining factor;
- The formalistic approach whereby organisations are considered to be established solely in the place in which they are registered is not the correct approach;
- There is a 3-pronged test:
- Is there an exercise of real and effective activity – even a minimal one?
- Is the activity through stable arrangements?
- Is personal data processed in the context of the activity?
In determining whether the above test is met, the CJEU provides guidance on a number of factors to be taken into consideration. In particular, the context must be considered i.e. the nature of the economic activities/service provided by a business. For an Internet business, the fact that the website is written in the language of a Member State (and, as a consequence, mainly or directly or targeted at that Member State) is a significant factor,
Crucially, the presence of only one representative in a Member State can, in some circumstances, suffice to meet the stable arrangement criterion – the role of the representative is relevant in this context, e.g. as a point of contact for data subjects and/or as a representative for the data controller in judicial and administrative proceedings. The opening of a bank account by the data controller in a particular Member State is also relevant. However, the nationality of the owners of the business should not be taken into account.
On the other hand, the CJEU decision turns very much on the facts – it is difficult to work out what weight to give to each of the relevant factors to be taken into consideration. For example, it is not clear whether physical presence is always required, e.g. whether it would be enough if, in the context of an Internet business, the business is targeting the citizens of a particular country on an ongoing basis via a website translated into the language of that country.
However, in view of the low threshold for determining whether a data controller is 'established' in a particular Member State – processing personal data in the context of the exercise of an activity, however minimal, and, depending on the circumstances, having just one representative – it is likely that many organisations headquartered in a particular Member State will need to revisit their European data protection strategy.
As per our recommendations here, businesses should put in place certain conditions and and controls to support the contention that the nomination of a data controller in a particular Member State goes beyond a mere nomination "on paper". However, as a result of Weltimmo, businesses should also look to other key EU Member State markets, e.g. where they are targeting the citizens of those Member States and/or have even a minimal presence, and consider the likely implications of being subject to the data protection laws of those Member States.