On 1 October 2015 the European Court of Justice (“ECJ”) rendered a judgment in response to the questions raised by the Kúria (Hungarian Supreme Court) on the applicability of Hungarian data protection law and on the powers of the Hungarian Data Protection Authority (“DPA”) in relation to a company that is registered in Slovakia but offers online services in Hungary.
This was an important decision as the ECJ ruled that the concept of “establishment” in the meaning of article 4 of the Directive 95/46/CE of the European Parliament and of the Council of 24 October 1995 (the “Directive”) should be flexibly interpreted, and thus it cannot depend on the place where the company is registered.
The claimant, Weltimmo, is a company registered in Slovakia and runs a real estate services website for Hungarian properties. After a one-month grace period during which advertising on the website was free of charge, Weltimmo kept the advertisers’ data, charged them for the services it provided, and if necessary, sent their data to debt collection agencies. The Hungarian DPA fined Weltimmo for violation of the Law of 2011 on the right to self-determination as regards information and freedom of information. Weltimmo then brought an action before the Budapest Administrative and Labour Court and then to the Supreme Court.
In the first part of its decision, the ECJ clarifies that the applicable law to a data controller must be determined in light of Article 4 of the Directive rather than Article 28, which only relates to the role and powers of the supervisory authority. The ECJ further restates the ruling on the Google Spain case (C-131/12) and confirms that the words “in the context of the activities of an establishment” in Article 4 of the Directive cannot be interpreted restrictively. After having clarified that, the ECJ analyzes the several aspects of this requirement.
Firstly, the ECJ refuses to adopt a formalistic approach of the concept of “establishment” whereby companies would be deemed established solely where they are registered. This establishment concept must, however, imply that there is (1) a certain degree of stability of the arrangements; and (2) an effective exercise of activities. These two conditions must be interpreted in the light of the specific nature of the company’s economic activities and the provision of the services concerned. The ECJ further insists that this is even more true for companies such as the one at stake, which offers services only over the Internet.
Even more importantly, the ECJ affirms that the effectiveness of the activity can be very limited, as it was the case here, in which only one representative of Weltimmo was present in Hungary as the point of contact between the company and the data subjects. Indeed, the Court states that “the presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the presence of the necessary equipment for provision of the specific services concerned in the Member State in question.”
Secondly, the ECJ assesses whether the processing of the personal data is carried out in the context of the activities of the establishment. The ECJ refers again to the Google Spain case and clarifies that this does not mean that the activity must be carried out by the establishment itself, but rather in the context of its activities.
The ECJ, while leaving the factual assessment of Weltimmo being established in Hungarian in the case at stake, has nevertheless broadened the territorial scope of domestic data protection law significantly by affirming that the mere presence of an individual in one Member State, who acts for a company registered in another Member State, can be sufficient for the DPA of the former Member State to have power over this company.
The case (C-264/14) can be found on http://www.curia.europa.eu
Click here for a PDF version of the 52nd edition of our ICT Law Newsletter.