In VKI v. Amazon EU, the Court of Justice of the EU on Thursday clarified which Member State’s data protection laws should apply to a data processing operation established within the EU but directed at a number of EU Member States. The applicant, VKI, was an Austrian consumer association; the respondent “… a company established in Luxembourg belonging to an international mail order group.”
One of the questions asked of the ECJ was whether the processing of personal data by Amazon was “ … governed exclusively by the law of the Member State in which the establishment of the undertaking is situated in whose framework the processing takes place …” or did Amazon EU have to “ … also comply with the data protection rules of those Member States to which its commercial activities are directed?”
In the Thursday ruling, the ECJ held that “ … the processing of data in the context of the activities of an establishment is governed by the law of the Member State in whose territory that establishment is situated.” As such it simply confirmed its previous judgment in Weltimmo. The ECJ’s short discussion of Weltimmo is interesting but perhaps the most significant feature of VKI v. Amazon EU may be what the ECJ did not discuss. The ECJ did not discuss the contract between Amazon and its customers, which provided that “Luxembourg law shall apply.” Instead, the ECJ held that “It is for the national court to determine … whether Amazon EU carries out the data processing in question in the context of the activities of an establishment situated in a Member State other than Luxembourg.”
This suggests that the jurisdiction clauses which are routinely inserted into consumer and commercial contracts may be irrelevant when deciding which Member State’s data protection laws apply.
Nor did the ECJ discuss whether there is any divergence between the ECJ’s previous decisions in Weltimmo and Google Spain; the ECJ having applied a broader interpretation of establishment in the latter case. This divergence was considered by Advocate General Saugmandsgaard Øe in his opinion; he was of the view that the ECJ had applied a broader interpretation in Google Spain because otherwise EU Data Protection law would not have applied at all. This issue was not discussed by the ECJ itself, which may suggest that it agrees with the opinion of its advocate general.
What the ECJ did discuss was how the criteria it had previously set out in Weltimmo might be applied. The ECJ reiterated that the establishment of a data processing operation “… extends to any real and effective activity, even a minimal one, exercised through stable arrangements.” When considering whether a data processing operation is established in a Member State “ … both the degree of stability of the arrangements and the effective exercise of activities in the Member State in question must be assessed."
In Weltimmo the ECJ had considered whether Hungarian or Slovakian data protection law should apply to a particular website. The ECJ held “ … that the presence of only one representative can, in some circumstances, suffice to constitute a stable arrangement if that representative acts with a sufficient degree of stability through the presence of the necessary equipment.” Another factor it found relevant in Weltimmo was “ … the running of one or several property dealing websites concerning properties situated in Hungary, which are written in Hungarian.” The ECJ made clear in VKI v. Amazon EU that a data processing operation will not be established “… merely because the undertaking’s website is accessible …” in a particular Member State. However, the ECJ repeated the opinion of its Advocate General that “… the fact that the undertaking responsible for the data processing does not have a branch or subsidiary in a Member State does not preclude it from having an establishment there.”
A subtle but significant point is raised by the ECJ’s reiteration of its view in Weltimmo that EU Data Protection law “ …requires the processing of personal data in question to be carried out not ‘by’ the establishment concerned itself but only ‘in the context of the activities’ of the establishment.” This suggests that a data controller may be established in one Member State, process personal data “in the context” of that establishment and be subject to that Member State’s data protection laws even though the actual processing is being carried out “by” equipment in another Member State or even outside the EU.
VKI v. Amazon EU is a significant judgment. A succession of ECJ decisions over the past couple of years have redefined what EU data protection law means: Digital Rights Ireland, Google Spain, Schrems, Bara, Ryneš and Weltimmo. VKI v. Amazon is not one of those cases: it simply reaffirms and clarifies the existing law. VKI v. Amazon EU is significant because it suggests that EU data protection law is becoming more settled.
Of course EU data protection law will change again, once the General Data Protection Regulation applies from 25 May 2018. But both the existing Data Protection Directive and the GDPR similarly apply “ … in the context of the activities of an establishment of a controller.” The texts of the Directive and the GDPR are not identical; subtle differences are to be found even in these few words. And the GDPR does contain a “hyper-bureaucratic” mechanism for co-operation between Data protection authorities. Hence further questions about jurisdiction may well be referred to the CJEU. But it must be hoped that the question of which Member States’ laws apply to a particular data processing operation has been answered, at least for now.
If you want to comment on this post, you need to login.