The relationship between the laws of the 28 Member States that make up the EU is defined by the EU Treaties. Article 16(2) of one of these, the Treaty on the Functioning of the EU, provides that the EU’s legislature must “lay down the rules relating to the protection of individuals with regard to the processing of personal data…and the rules relating to the free movement of such data …”

This means that the EU legislature cannot simply enact rules that provide for data protection; those rules must also provide for the free movement of personal data within the EU. These different objectives may seem, at times, to conflict with one another. And this potential for conflict can only be enhanced by the reality that an update of the EU’s current rules is long overdue.  

These current rules, the Data Protection Directive, date back to 1995. Discussions of proposals for reform are continuing and are well-advanced, but one issue of contention in those discussions has been the jurisdiction of member states' data protection agencies (DPAs). The European Commission had originally proposed a “one-stop shop”; after lengthy discussion, the EU Council had proposed an enhanced “European Data Protection Board.” The reconciliation of these various proposals is now being discussed in the trilogues that are being held between the Commission, Council and Parliament. Such discussions may well be informed by a judgment issued by the Court of Justice of the EU (CJEU) on Thursday, 1 October, in the case of Weltimmo (C-230/14), a judgment in which the CJEU has considered how the jurisdiction of the date protection laws of different member states may be resolved.

The subject of the case, Weltimmo itself, is a company registered in Slovakia that runs a website. On this website it advertises Hungarian properties, processing the personal data of its Hungarian advertisers to that end. These advertisements are initially free of charge but then fees kick in. Requests by Hungarian advertisers to delete their advertisements were ignored. Instead, charges were imposed, which debt collection agencies were engaged to recover.  Understandably aggrieved, the advertisers complained to the Hungarian DPA, which imposed a fine of HUF 10 million (approximately EUR 32 000) upon Weltimmo. This fine was then challenged by Weltimmo, which argued that it was not established in Hungary but rather registered in Slovakia and so not subject to Hungarian data protection law (paragraphs 10-12). Since this issue of jurisdiction was one of EU law, the Hungarian Courts then referred it to the CJEU by way of a request for a preliminary ruling. This request essentially asked two questions of the CJEU: firstly, how should a data protection supervisor decide if it has jurisdiction over a data processing operation and, secondly, what should happened if it decides that jurisdiction is something that it does not have.

The CJEU began its analysis of the first question by finding that the relevant law is Article 4(1)(a) of the Data Protection Directive. This provides that the law of a member state will apply to processing that is: “carried out in the context of the activities of an establishment of the controller on the territory of the Member State …” (paragraph 23). The CJEU went on to find that this meant that a member state’s data protection law would apply to a data controller that exercised “through stable arrangements … a real and effective activity—even a minimal one—in the context of which that processing is carried out.”  

The court went on to find that there appeared to be a couple of factors that seemed particularly relevant when considering whether a data processing operation was established in a member state. The first was that Weltimmo was running a property-dealing site that appeared to be targeted at the Hungarian market as it concerned Hungarian houses and was written in Hungarian. The second was that the controller had a representative in Hungary, who was responsible for debt recovery and had represented Weltimmo in Court (paragraph 66). Other factors mentioned by the court were that Weltimmo had a Hungarian bank account and a postal address. However, the court found it to be totally irrelevant that the data subjects who had complained were themselves Hungarian (paragraph 40). It is worth noting that the CJEU seems to envisage that this question of jurisdiction is a matter for the Hungarian DPA alone. The CJEU did not appear to envisage any role for the Slovakian authority in this decision. It should also be noted that the CJEU was at pains to make clear that the function of verifying the facts of the case at issue was one for the Hungarian court, not it (paragraph 33).

The CJEU then turned to the second question and considered what should happen where a DPA finds that it does not have jurisdiction to respond to a complaint that had been made to it. The court held that DPAs may investigate complaints received “irrespective of the applicable law and before even knowing which national law is applicable to the processing in question.” But if that authority should conclude that the law of another member state applies, then it could not impose penalties outside its own territory. In that case, it would have to “request the supervisory authority of that other Member State to establish an infringement of that law and to impose penalties if that law permits, based, where necessary, on the information which the authority of the first Member State has transmitted to it.” It might then happen that “supervisory authority to which … a complaint has been submitted may find it necessary to carry out other investigations, on the instructions of the supervisory authority of the other Member State” (paragraph 57-58).

Of course it is not yet clear what precise impact this judgment will have upon the trilogue negotiations that the EU’s legislature is now conducting in relation to data protection reform. But the CJEU’s clear analysis of the jurisdiction and responsibilities of different DPAs must be of assistance and hopefully will enable the EU to bring those negotiations to a close.