The Ashley Madison data breach raised doubts as to whether or not the UK's Information Commissioner had any enforcement powers over businesses processing personal data collected in the UK if they were located in another state.
Traditionally, enforcement action is undertaken by the Data Protection authority for the member state the data controller is based or established in. Other recent examples of this include the Schrems case, which overturned the Safe Harbor agreement, and was brought by an Austrian in respect of his personal data uploaded onto Facebook in Austria. It involved a complaint brought to the Irish Data Protection Commissioner, and subsequently through the Irish courts. This is because the data controller, which was a subsidiary of Facebook, was registered in Ireland.
The recent decision of the Court of Justice of the European Union (CJEU) in the case of Weltimmo s.r o. v Nemzeti Adatvédelmi és Információszabadság Hatóság confirms that European member states’ Data Protection Supervisory authorities are entitled to enforce their Data Protection legislation against organisations based in other states where the infringement occurs in that Data Authority's jurisdiction.
In this case, Weltimmo s.r.o. (Weltimmo) was based and registered in Slovakia, but operated in Hungary. It runs a property dealing website focused on Hungarian properties, and offered an initial month's free advertising to encourage new advertisers. If advertisers wished to stop using the service within the first month, they could email a request to Weltimmo for the deletion of their advert and their personal data before the end of the free month. However, Weltimmo failed to delete these records, and instead charged these new advertisers, who refused to pay. This resulted in Weltimmo forwarding the personal data of these advertisers to debt collection agencies.
Complaints were made to the Hungarian Data Protection authority, which investigated and found that Weltimmo had breached the Hungarian Data Protection legislation and fined them approximately €32,000.
Weltimmo challenged the fine in the Hungarian courts on the grounds that they were not "established in Hungary" as they did not have either a registered office or a branch there. The Hungarian court rejected this defence on the basis that the processing of data and the supply of data services relating to Hungarian properties had taken place in Hungary. However, due to a lack of clarity of some of the facts, the Hungarian court set aside the fine.
Weltimmo appealed, seeking to avoid having a fresh fine being levied against them, and argued that the Hungarian Data Protection authority was not competent and therefore was unable to apply Hungarian law in respect of a supplier of services established in another European member state. It claimed that the Hungarian Data Protection authority should have asked the Slovak Data Protection authority to act in its place. However, even though Weltimmo was registered in Slovakia, it did not carry out any processing activities there, and it was unclear whether or not the Slovak Data Protection authority would be able to investigate such a breach.
Weltimmo argued that by virtue of Article 4 of the European Data Protection Directive, it was not established in Hungary and therefore the Hungarian Data Protection Authority had no authority to investigate or issue a fine.
Article 4 states:
“1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:
(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;
(b) the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law;
(c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.
2. In the circumstances referred to in paragraph 1 (c), the controller must designate a representative established in the territory of that Member State, without prejudice to legal actions which could be initiated against the controller himself.”
The Hungarian Data Protection authority argued that Weltimmo was established in Hungary by virtue of having:
Due to the cross jurisdictional issues and the issue on the interpretation of the Directive, the Hungarian courts referred it to CJEU for a preliminary ruling on whether or not the Hungarian Data Protection authority was entitled to investigate.
The CJEU agreed that Weltimmo was established in Hungary, and therefore the Hungarian Data Protection authority was entitled to enforce Hungarian Data Protection legislation against Weltimmo, and accordingly, issue a fine.
The court referred to recital 19 to the European Data Protection Directive which states "that establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements and that the legal form of such an establishment, whether simply a branch or a subsidiary with a legal personality, is not the determining factor in this respect; whereas, when a single controller is established on the territory of several Member States particularly by means of subsidiaries, he must ensure, in order to avoid any circumvention of national rules, that each of the establishments fulfils the obligations imposed by the national law applicable to its activities."
The court then sought to clarify what is meant by establishment and concluded that for a data controller to be established in "a Member State other than the Member State or third country where it is registered, both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned."
It concluded that any organisation would be deemed to be established in a member state, and thus subject to that country's data protection legislation, if it undertook any real and effective activity, even a minimal one, exercised through stable arrangements, such as having an employee or a representative based or located in that state.
In light of their conclusions, the court held that:
This all amounted to evidence that Weltimmo was established in Hungary, and therefore, the Hungarian Data Protection authority was able to investigate and take enforcement action.
The implications of this decision are considerable, especially in relation to businesses operating in multiple member states.
It highlights the fact that the existing Data Protection directive was drafted prior to the adoption of the internet as a means to process personal data in multiple member states, and where services are not physically delivered to individuals in that member state. This was one of the drivers behind the drafting of the new General Data Protection Regulation; aiming to ensure that there is a consistent approach to regulating the processing of personal data across Europe. However, with a number of derivations permitted under the draft regulation, this could force data controllers to implement policies and systems designed to meet the most stringent member state derivations, with a view to minimising exposure to fines or legal prosecutions arising from any breach of privacy legislation.
This decision confirms that where a data controller is based in one state, and is operating in another European member state jurisdiction, it must comply fully with the Data Protection legislation of not just the member state it is based in but also any other jurisdiction in which it is operating. This is not withstanding the fact that it may have no more than a nominal physical presence there. Having some intentional operation, no matter how substantial, may be sufficient to mean that it is established there and therefore accountable to that jurisdiction's privacy legislation.
The ruling also pre-empts the obligations in the forthcoming General Data Protection Regulations for organisations based in non EU states that process personal data obtained or collected from EU residents or in EU member states.
This decision may potentially stop plans, under the forthcoming General Data Protection Regulation, to facilitate a ‘one shop stop’. ie the ability for organisations to elect a single Data Protection authority to govern all the organisation’s processing of personal data across member states. This allows individual Data Protection Supervisory Authorities the power to investigate bodies that are based in foreign jurisdictions, provided that they have at least a nominal presence in that regulator's jurisdiction, and it can be shown that they have intended to process personal data from that jurisdiction.
Under this decision, provided that Facebook had some physical presence in Austria, such as an office or a nominated contact, or even an employee located there, Max Shrems would have been entitled to complain to the Austrian Data Protection authority instead of the Irish Data Protection Commissioner.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at November 2015. Specific advice should be sought for specific cases. For more information see our terms & conditions on www.TLTsolicitors.com