TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | You're Watching Schrems, but Maybe You Should Be Watching Weltimmo Related reading: A view from DC: White House preps a 'bridge' to AI regulation



Each member state of the EU is required to have its own, independent data protection authority (DPA). The EU Treaties say so not just once but twice. Determining the precise jurisdiction of those authorities has become an issue of some significance in the past year, and that's exemplified in a Court of Justice of the European Union (CJEU) case that's worth watching: Weltimmo. 

Weltimmo concerns a website that was established by Hungarians and was directed at the Hungarian market but based in neighboring Slovakia, reported by The Privacy Advisor back in 2012. The Hungarian DPA imposed a fine upon Weltimmo for unauthorized data processing activities, and the CJEU is now being asked a couple of questions that relate to the validity of that fine under EU law.   

The first question concerns Article 28(1) of the Data Protection Directive, which provides that member states’ DPAs "are responsible for monitoring the application within its territory of” national data protection law. The court has been asked whether this means that Hungarian data protection laws can or cannot apply to Weltimmo, a property-dealing website established in Slovakia that advertises Hungarian property and where Hungarian property owners have forwarded their personal data to a server belonging to the operator of the Weltimmo website in Slovakia.   

The second question relates to Article 4(1) of the Data Protection Directive. This article states that national laws will apply to “processing … carried out in the context of the activities of an establishment of the controller on the territory of the member state.” The CJEU is being asked whether this means that Hungarian data protection law will apply to the operator of a property-dealing website established only in Slovakia where that website “also advertises Hungarian property whose owners transfer the data relating to such property probably from Hungarian territory to a … server … for data storage and data processing belonging to the operator of the website.”  

In the context of both questions, the court is being asked to consider the significance of a number of factors, including that the Slovakian website was directed at Hungarian territory and that “the owners of the undertaking established in Slovakia have their habitual residence in Hungary."

But Weltimmo isn't the only case in which the CJEU has looked at jurisdiction. 

In Google Spain, the CJEU held that a country’s laws would apply “when the operator of a search engine sets up in a member state a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that member atate." On foot of this judgment, a number of Europe’s DPAs have now initiated enforcement actions against other large American data controllers. The Belgian DPA, for example, has determined that Facebook, Inc., which is based in the U.S., “must … be considered as the only controller” of its Belgian users' data, not Facebook Ireland. The Belgian DPA used this finding to assert jurisdiction and issue recommendations to Facebook. Facebook is disputing the assertion, promising to “review the recommendations … with our European regulator, the Irish Data Protection Commissioner…”  

The jurisdiction of European DPAs is again being considered by the CJEU in Schrems, in which the court is being asked whether the Irish DPA “is absolutely bound” by a finding of the EU Commission that the so-called Safe Harbour Principles provide adequate data protections for EU citizens when data is transferred to the U.S. or whether the Irish DPA should “conduct … her own investigation” into the transfer of data from the EU to U.S.   

Both Schrems and Weltimmo were heard in March of this year. The different advocates general are due to give their separate opinions in Schrems on 24 June and the following day in Weltimmo. Those opinions may ultimately inform the judgment of each court, but each court’s judgment will be its own. Schrems has, so far, received more attention, but judgment in Weltimmo may ultimately prove to have longer term significance. This is because Weltimmo raises issues that are of particular relevance to the EU’s ongoing debate about the reform of its data protection laws. One is the obsolescence of the EU’s existing laws.

In a 2003 decision, Lindqvist, the CJEU held that “one cannot presume that the community legislature intended the expression transfer (of data) to a third country to cover the loading … of data onto an Internet page, even if those data are thereby made accessible to persons in third countries with the technical means to access them." It will be interesting to see whether the CJEU takes a similar approach to the application of that directive within the EU or whether it considers that the coming into force of the right to data protection provided by the EU Charter of Fundamental rights has reinvigorated the existing law. Any judicial pronouncements on the obsolescence of the existing law may increase pressure on the EU’s legislature to reform.

Another aspect is the relationship between the supervision of data protection and the EU’s single market. Article 16 of the Treaty on the Functioning of the EU requires that the EU legislate not just for data protection, but also for “the free movement of data." Judgment in Weltimmo may give some indication of how the CJEU thinks the EU should go about doing so.


If you want to comment on this post, you need to login.

  • comment Anna • May 27, 2015
    Thanks for a great article! But it's a bit peculiar that the web site is based in Slovenia for the first half of the article, and then in Slovakia... :)
  • comment Angelique • May 27, 2015
    Great catch, Anna. Editorial oversight. We've amended!
  • comment Michael • Jun 3, 2015
    Good article. I agree that Weltimmo may have serious practical consequences for the single digital market, as it was (also) envisaged in the eCommerce Directive (2000/31). The same can be said of the one-stop-shop mechanism in the Council's current draft of the GDPR, which provides powers for DPAs in countries without local establishment of a data controller etablished in another EU member state. Weltimmo and the GDPR may both be a step in the wrong direction.
  • comment Stuart • Jun 4, 2015
    Good brief!
    @Michael: the one-stop-shop mechanism is indeed the elephant in the room, isn't it? However, in a way it doesn't matter, because we can see from the Facebook approach that any contentious decisions in respect of one-stop-shop may be litigated again and again by disappointed litigant... and thus it may be nuanced rapidly and repeatedly by the CJEU with its jurisdiction over all the DPAs, taking into account whatever coherent concepts can be distilled from the "single digital market".
  • comment Michael • Jun 7, 2015
    @Stuart: I agree that these issues can be litigated under the current directive, but under the GDPR the one-stop-shop mechanism is (unfortuntely) quite clear. It is sad to see how the internal market (as it used to be called) is slowly being rolled back. The name "one-stop-shop" is being used in the GDPR for two distinct - in fact, completely opposing - mechanisms. The one that will be relevant for data controllers with an establishment in only one EU member state should more correctly be named the "28-stop-shops" mechanism, because that is how it would potentially work. I have clients that are providing online services across EU borders based on the true one-stop-shop mechanism in the directive (as we knew it before Facebook/Belgium and potentially Weltimmo...), and for them the 28-stop-shops mechanism will force them to think carefully about which countries they want to provide services to in the future. This is exactly the opposite as what the Commission is seeking to achieve in the new Digital Single Market Strategy.