ECJ Recommended Opinion on DPA Authority May Have Implications for Privacy Regulation

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

June 30 — A recent recommended opinion by the European Court of Justice's advocate general concerning which European Union member state data protection authority should have jurisdiction over a privacy complaint is causing concern among some attorneys interviewed by Bloomberg BNA.

In the June 25 opinion, Advocate General Pedro Cruz Villalón recommended that the ECJ, the EU's top court, should rule that if a data controller is exclusively “established” in one EU member state, then it should only have to deal with the data protection law and regulators in the country which it is established (Weltimmo s.r.o. v. Nat'l Auth. for Data Prot. and Freedom of Info., E.C.J., No. C-230/14, advocate general recommended opinion 6/25/15).

Villalón said that although other national DPAs should be entitled to monitor, intervene in and investigate a company's operations within their national territory, only the DPA in the country where the company has established its operations should have jurisdiction to declare operations unlawful and issue sanctions.

But the recommended opinion used a very broad definition of what would establish a company in a member state, leaving attorneys split over whether it helps clarify the legal situation for international businesses in Europe or complicates the issue for multinationals doing business in the EU.

If the ECJ adopts the advocate general's recommendation—something which it isn't legally obligated to do but often does—the ruling will have far-reaching consequences for current negotiations over the proposed EU-wide data protection regulation to replace the 20-year-old EU Data Protection Directive (95/46/EC), attorneys told Bloomberg BNA.

One-Stop Shop Concept 

Although Villalón's opinion isn't binding, practitioners agreed it holds great relevance for ongoing trilogue negotiations between the European Commission, European Parliament and Council of Ministers on the final form of the proposed data protection regulation, particularly provisions regarding DPA jurisdiction.

Carlo Piltz, an attorney at JBB Rechtsanwälte in Berlin, told Bloomberg BNA June 30 that how the ECJ interprets the Data Protection Directive will particularly influence negotiations over the planned EU-wide one-stop shop regulation, which ties in to issues raised in the present litigation—namely, how national DPAs should work together, establishing the parameters and conditions of cooperation, as well as determining jurisdiction.

The concept of a one-stop-shop for companies dealing with DPAs was a central component of the regulation when released by the European Commission, the EU's administrative arm, in 2012. Under the original plan, the DPA where a company had its headquarters in the EU would act as lead regulator. But since then, disputes about the ability of DPAs from other member states to handle complaints from data subjects in their countries have arisen.

Piltz said the case in question lays out the same problems the one-stop shop could face.

“Negotiators will get to see in real life what the EU directive now says about this situation, where different DPAs are involved but there is one main DPA,” Piltz said. “The negotiators could then say, ‘Well, we also wanted to foresee things like the current directive’ or ‘If that's how the ECJ sees it, we should amend the regulation because that's not the result we want,'” he said.

Hungary, Slovakia Parties 

The advocate general's opinion was sparked by a dispute between Slovakia-based data controller and operator of an online retail marketplace, Weltimmo s.r.o., and the Hungarian data protection authority, the National Authority for Data Protection and Freedom of Information (NAIH).

Weltimmo operated sites targeted at the Hungarian market, which were alleged to have misled customers about its offers and to have transferred customer data to third parties without notice or consent, the NAIH said in a 2012 statement. NAIH said it received several complaints concerning Weltimmo's non-compliance with Hungarian data protection law.

In a 2012 ruling (NAIH-510-6/2012/H), NAIH imposed a maximum fine for unauthorized data processing of 10 million Hungarian forints ($35,430).

Although Weltimmo had Hungarian customers, it challenged in court NAIH's jurisdiction to impose a fine because the company is based in Slovakia. The Hungarian court asked the ECJ for a ruling on the issue.

Clarification for Businesses?

The recommended opinion “is really highly relevant for companies like Facebook who say they have the problem of having to comply with 28 different data protection laws in the EU,” Piltz said.

Chief executive officers want to know who might fine them if something goes wrong in their handling of data, he said, and the opinion makes that clear, he said.

“I would close nearly all of my establishments and just open one in one European member state where I wanted that national data protection law to be applicable,” he said.

“So it's in a way good for companies because it's a more secure way for them to plan their business base—it's a source of security for businesses,” Piltz said.

Where is Company Established?

The recommended opinion used a broad definition for what establishing a company's operations means and that has raised questions among practitioners about how difficult it may be for the competent DPA is determined.

“In a nutshell, you have two interpretations of establishment: Either you take a strict interpretation of the concept and say, that you need to have a legal entity, like a subsidiary or affiliate to have an establishment,” Cedric Burton, of counsel at Wilson Sonsini Goodrich & Rosati, Brussels, told Bloomberg BNA June 30.

“Or you take a flexible interpretation of the law and say, whatever the form, what counts is having some stable arrangement and a real and effective activity in a member state,” he said.

In this case, the advocate general opted for the latter “flexible” approach which the NAIH told Bloomberg BNA June 30 that it interprets to mean it has proper jurisdiction in the case.

“Weltimmo maintained a website under an .hu domain, with Hungarian real estate advertisements,” Daniel Eszteri, an NAIH legal officer, said. “The website's language was Hungarian, and the managing director of the Slovakian company was also a Hungarian person with permanent residence in Hungary, The company did not make any commercial activity in Slovakia, only the postal address and seat was registered there.”

To contact the reporter on this story: Jabeen Bhatti in Berlin at correspondents@bna.com.

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

The advocate general's recommended opinion is available, in German, at http://goo.gl/dhdDE5.