In early October, shortly before the Court of Justice of the EU (CJEU) handed down its judgement in the much discussed Schrems case invaliding Safe Harbor, it delivered another landmark ruling concerning personal data protection that has been largely overshadowed by the Safe Harbor decision.
In Weltimmo s.r.o. v. Nemzeti Adatvédelmi és Információszabadság Hatóság, the CJEU ruled that national data protection legislation of an EU Member State may apply to foreign companies that carry out “real and effective activity”, even if minimal, in that Member State. This ruling has significant ramification on companies carrying out their activities across borders, in particular online businesses. Previously, multinationals could reasonably rely on the fact that they were subjected to one set of data protection laws and one regulator – the Data Protection Authority (DPA) in the EU Member State in which their company was based and registered as a data controller.
Weltimmo, a company registered in Slovakia, operated a website advertising the sale of properties in Hungary and in the course of its activities processed personal data of Hungarian advertisers, allegedly in breach of the Hungarian data protection law. The advertisers complained to the Hungarian DPA which imposed a fine on Weltimmo. Weltimmo challenged the fine before the Hungarian courts on the grounds that the Hungarian DPA had no jurisdiction over it.
The CJEU considered the meaning of “establishment” under the Data Protection Directive and concluded that because Weltimmo pursued “real and effective activity in Hungary”, it had an establishment in Hungary. Consequently, it was subject to Hungarian data protection laws, on top of the data protection of its home country, Slovakia. The CJEU took into account that Weltimmo had a representative in Hungary, a website in Hungarian aimed at Hungarian residents, a letter box and a bank account; these were sufficient to qualify as ‘establishment’. The CJEU, however, stopped short of endorsing the Hungarian DPA’s authority to impose and collect the fine; the Hungarian DPA was able to hear and investigate the case but would need to request the cooperation from the Slovak DPA to enforce the fine.
It yet remains to be seen how this decision will be reconciled with the General Data Protection Regulation which is to be finalized in the coming months and which envisages that EU organizations will only have to deal with one single DPA, typically the DPA in the Member State in which their company has its EU headquarters.