Each member state of the EU is required to have its own, independent data protection authority (DPA). The EU Treaties say so not just once but twice. Determining the precise jurisdiction of those authorities has become an issue of some significance in the past year, and that's exemplified in a Court of Justice of the European Union (CJEU) case that's worth watching: Weltimmo.
Weltimmo concerns a website that was established by Hungarians and was directed at the Hungarian market but based in neighboring Slovakia, reported by The Privacy Advisor back in 2012. The Hungarian DPA imposed a fine upon Weltimmo for unauthorized data processing activities, and the CJEU is now being asked a couple of questions that relate to the validity of that fine under EU law.
The first question concerns Article 28(1) of the Data Protection Directive, which provides that member states’ DPAs "are responsible for monitoring the application within its territory of” national data protection law. The court has been asked whether this means that Hungarian data protection laws can or cannot apply to Weltimmo, a property-dealing website established in Slovakia that advertises Hungarian property and where Hungarian property owners have forwarded their personal data to a server belonging to the operator of the Weltimmo website in Slovakia.
The second question relates to Article 4(1) of the Data Protection Directive. This article states that national laws will apply to “processing … carried out in the context of the activities of an establishment of the controller on the territory of the member state.” The CJEU is being asked whether this means that Hungarian data protection law will apply to the operator of a property-dealing website established only in Slovakia where that website “also advertises Hungarian property whose owners transfer the data relating to such property probably from Hungarian territory to a … server … for data storage and data processing belonging to the operator of the website.”
In the context of both questions, the court is being asked to consider the significance of a number of factors, including that the Slovakian website was directed at Hungarian territory and that “the owners of the undertaking established in Slovakia have their habitual residence in Hungary."
But Weltimmo isn't the only case in which the CJEU has looked at jurisdiction.
In Google Spain, the CJEU held that a country’s laws would apply “when the operator of a search engine sets up in a member state a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that member atate." On foot of this judgment, a number of Europe’s DPAs have now initiated enforcement actions against other large American data controllers. The Belgian DPA, for example, has determined that Facebook, Inc., which is based in the U.S., “must … be considered as the only controller” of its Belgian users' data, not Facebook Ireland. The Belgian DPA used this finding to assert jurisdiction and issue recommendations to Facebook. Facebook is disputing the assertion, promising to “review the recommendations … with our European regulator, the Irish Data Protection Commissioner…”
The jurisdiction of European DPAs is again being considered by the CJEU in Schrems, in which the court is being asked whether the Irish DPA “is absolutely bound” by a finding of the EU Commission that the so-called Safe Harbour Principles provide adequate data protections for EU citizens when data is transferred to the U.S. or whether the Irish DPA should “conduct … her own investigation” into the transfer of data from the EU to U.S.
Both Schrems and Weltimmo were heard in March of this year. The different advocates general are due to give their separate opinions in Schrems on 24 June and the following day in Weltimmo. Those opinions may ultimately inform the judgment of each court, but each court’s judgment will be its own. Schrems has, so far, received more attention, but judgment in Weltimmo may ultimately prove to have longer term significance. This is because Weltimmo raises issues that are of particular relevance to the EU’s ongoing debate about the reform of its data protection laws. One is the obsolescence of the EU’s existing laws.
In a 2003 decision, Lindqvist, the CJEU held that “one cannot presume that the community legislature intended the expression transfer (of data) to a third country to cover the loading … of data onto an Internet page, even if those data are thereby made accessible to persons in third countries with the technical means to access them." It will be interesting to see whether the CJEU takes a similar approach to the application of that directive within the EU or whether it considers that the coming into force of the right to data protection provided by the EU Charter of Fundamental rights has reinvigorated the existing law. Any judicial pronouncements on the obsolescence of the existing law may increase pressure on the EU’s legislature to reform.
Another aspect is the relationship between the supervision of data protection and the EU’s single market. Article 16 of the Treaty on the Functioning of the EU requires that the EU legislate not just for data protection, but also for “the free movement of data." Judgment in Weltimmo may give some indication of how the CJEU thinks the EU should go about doing so.
If you want to comment on this post, you need to login.