The territorial reach and enforcement jurisdiction of European Union’s data protection law has become a lot more important these days following the decision of the Court of Justice in the Schrems case. In a case decided just a few days before Schrems, the same court gave Directive 95/46/EC a broad reading holding that the laws of a Member State apply to data controllers in another Member State who operate a website that processes data of residents of the first Member State. The Court, however, construed the enforcement jurisdiction of supervisory authorities narrowly ruling they do not have the ability to impose penalties on controllers not established in the Member State. The judgment of the Court in Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, Case C‑230/14, October 1, 2015 has significant repercussions for EU and non-EU businesses that operate websites that target residents of a Member State and potentially for the territorial reach of the “right to be forgotten”.
One of the key issues in the case was whether Weltimmo, an company registered in Slovakia, was subject to the Hungarian data protection laws. Weltimmo operated a real estate website concerning properties located in Hungary which was hosted from facilities outside of Hungary. The site targeted Hungarian residents and collected personal data from them.
The Court of Justice had little difficulty finding that the controller of the data (the Slovak company) was subject to the Hungarian data protection laws.
Under Article 4(1)(a) of Directive 95/46, each Member State applies its own data protection laws to the processing of personal data where the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State. The Court gave the term “establishment” a flexible definition, which in this case, was broad enough to include operating the website in issue. The Court also considered that there was processing of personal data of Hungarian residents carried out ‘in the context of the activities’ of that establishment. It doesn’t take too much to meet this test under EU law. It can be met by website users who load data onto Internet web pages in the Member State.
According to the Court:
In the present case, the processing at issue in the main proceedings consists, inter alia, of the publication, on Weltimmo’s property dealing websites, of personal data relating to the owners of those properties and, in some circumstances, of the use of those data for the purpose of the invoicing of the advertisements after a period of one month.
In this respect, it should be observed that, as regards in particular the Internet, the Court has already had occasion to state that the operation of loading personal data on an Internet page must be considered to be ‘processing’ within the meaning of Article 2(b) of Directive 95/46 (judgments in Lindqvist, C‑101/01, EU:C:2003:596, paragraph 25, and Google Spain and Google, C‑131/12, EU:C:2014:317, paragraph 26).
There is no doubt that that processing takes place in the context of the activities, as described in paragraph 32 of this judgment, which Weltimmo pursues in Hungary.
Therefore, subject to the checks referred to in paragraph 33 of this judgment, which it is for the referring court to carry out for the purpose of establishing, should that be the case, the existence of an establishment of the controller in Hungary, it must be held that that processing is carried out in the context of the activities of that establishment and that Article 4(1)(a) of Directive 95/46 permits, in a situation such as that at issue in the main proceedings, the application of the Hungarian law on the protection of personal data…
The Court also ruled that if the Hungarian data protection law did not apply, the Hungarian data protection authority would not have had the jurisdiction to impose penalties on Weltimmo. According to the Court:
Thus, when a supervisory authority receives a complaint, in accordance with Article 28(4) of Directive 95/46, that authority may exercise its investigative powers irrespective of the applicable law and before even knowing which national law is applicable to the processing in question. However, if it reaches the conclusion that the law of another Member State is applicable, it cannot impose penalties outside the territory of its own Member State. In such a situation, it must, in fulfilment of the duty of cooperation laid down in Article 28(6) of that directive, request the supervisory authority of that other Member State to establish an infringement of that law and to impose penalties if that law permits, based, where necessary, on the information which the authority of the first Member State has transmitted to the authority of that other Member State.
The EU Directive applies to controllers not established on an EU territory where such entities, “for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community”. The case has significant consequences for Canadian businesses which operate websites from Canadian facilities which collect data from residents of the EU as it adds another basis for EU data protection laws to apply to such activities. Under Commission Decision 2002/2/EC of 20 December 2001 personal data from the EU can be transferred to Canadian entities that are subject to PIPEDA (or where there is express consent or another authorized means of transfer exists). However, if that decision is revoked by the EU Commission, or set aside by the CJEU, or if data protection authorities were to start blocking transfers of data to Canada based on the Schrems decision, the Weltimmo judgment with its expansive (but not entirely new) interpretation of the reach of EU law could force Canadian businesses to find new ways to lawfully transfer EU personal data to Canada.
The Court’s judgment which limits the enforcement powers of supervisory authorities is also important. For example, as Geert van Calster pointed out in a recent blog post, this aspect of the decision could support an “argument that the EU cannot extend its right to be forgotten rule to websites outside the EU’s domain”.