EU Top Court: Minimal Contact OKs Privacy Oversight

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Oct. 1 — Potentially making it easier for European Union privacy regulators to control the activities of foreign multinationals, the European Court of Justice held Oct. 1 that EU member state data protection authorities may regulate data processing by foreign companies even if they have a minimal presence in the DPA's territory (Weltimmo s.r.o. v. Nemzeti Adatvedelmi es Informacioszabadsag Hatosag, E.C.J., No. C-230/14, 10/1/15).

In a case referred by Hungary's Supreme Court, the ECJ said that under the EU Data Protection Directive (95/46/EC), national courts may impose sanctions for privacy infringements on foreign companies with “establishments” on their territory that are linked to companies' data processing activities, but that an “establishment” could be as little as having a representative, bank account or postal address in the country.

Bart W. Schermer, a privacy lawyer and partner at Dutch legal consulting company Considerati, told Bloomberg BNA Oct. 1 that according to the ECJ ruling, an establishment of a foreign company “does not really have to be very substantial for the local DPA to have jurisdiction.”

The ruling “ has quite some impact for organizations like Facebook, and also other multinationals,” Schermer said.

The ruling may influence a proceeding in Belgium in which the Belgian Privacy Commission is seeking to sanction Facebook Inc. for privacy breaches, Schermer said.

‘Establishment' Defined

The ECJ ruling concerned a case involving a Slovakian real estate company.

The Hungarian DPA sought to impose its largest fine to date, approximately $45,000 on the company, Weltimmo S.R.O., for allegedly failing to respect requests from Hungarian data subjects for deletion of their data, and for transferring their data to other parties (166 Privacy Law Watch, 8/28/12)(11 PVLR 1353, 9/3/12). Weltimmo contested the fine in the Hungarian courts .

The ECJ said that the Hungarian DPA had the right to impose the fine because Weltimmo has a representative, an address and bank account in Hungary and “unquestionably pursues a real and effective activity in Hungary.”

The ECJ defined the concept of an “establishment” of a company in a country other than its home country as “any real and effective activity—even a minimal one—exercised through stable arrangements.”

National courts would have to determine on a case-by-case basis if the data processing activities of foreign companies were done through “establishments” on national territory, the ECJ said.

Tom de Cordier, a partner at CMS DeBacker in Brussels, told Bloomberg BNA Oct. 1 that the “main novelty” of the ruling was the definition of an establishment, which “so far in practice was determined in a slightly stricter way.”

Impact on Belgian Case Against Facebook?

The Belgian Privacy Commission filed a civil case in Brussels against Facebook, after deciding the social media giant's response to a recent investigation into its use of cookies to track users was inadequate (115 Privacy Law Watch, 6/16/15)(14 PVLR 1144, 6/22/15).

The ruling “ has quite some impact for organizations like Facebook, and also other multinationals.”

Bart W. Schermer, Partner, Considerati

In response to the Belgian DPA's recommendation for changes, Facebook said that its European operations are based in Ireland and overseen by the Irish data protection commissioner and added that the applicability of the Belgian PrivacyCommission's recommendation was “unclear” (95 Privacy Law Watch, 5/18/15)(14 PVLR 875, 5/18/15).

Schermer said the Weltimmo ruling might “strengthen the case of the Belgian DPA” that Belgian privacy law applies to Facebook. A ruling in the Belgian case is expected in late October.

De Cordier said the presence of an establishment may be less significant in the Belgian Facebook case than demonstrating the connection of that establishment with the company's data processing operations.

The ECJ's Weltimmo judgment said that DPAs could enforce privacy laws against foreign companies “where the data processing is carried out in the context of the activities conducted on its territory by an establishment of the controller,” but Facebook has only a public affairs office in Belgium that is distinct from its data processing activities, de Cordier said.

At a recent Bloomberg Law sponsored panel, Irish Data Protection Commissioner Helen Dixon discussed the changes coming under the proposed data protection regulation and Ireland's role in overseeing multinationals with headquarters in Ireland, including Facebook.

‘Duty of Cooperation'

The Weltimmo judgment also said that even if a foreign company isn't considered to have an establishment in a country, that country's DPA could still pursue a privacy case against the foreign company, but would be unable to enforce sanctions.

In this situation, there would be a “duty of cooperation” between EU DPAs, under which one DPA could ask another to impose a fine, the ECJ said.

De Cordier said that this meant in the Facebook case in Belgium, that “if Belgian law doesn't apply, it doesn't mean the Belgian DPA can't investigate.”

The Belgian DPA could pursue an investigation and ask Ireland's Office of the Data Protection Commissioner to impose sanctions, de Cordier said.

The Weltimmo ruling was “a one-stop shop decision really,” de Cordier said, referring to the supervisory system that has been put forward for the EU under the proposed data protection regulation to replace the Data Protection Directive. Under the proposed one-stop shop, a lead DPA would be established but DPAs would be expected to cooperate on enforcement.

Data Transfers by Public Bodies

In a separate ruling, the ECJ Oct. 1 held that a public authority can't transfer personal data to another public authority without first telling the data subject what categories of data would be transferred and for what purpose, and without providing the data subject with an opportunity to access and rectify the data (Bara v. Presedintele Casei Nationale de Asigurari de Sanatate, E.C.J., No. C-201/14, 10/1/15).

Prior notification would be in line with the “requirement of fair processing of personal data” in EU law, the ECJ said.

The Court of Appeal in Cluj, Romania, asked for the ECJ ruling in a case in which a group of self-employed workers objected to the transfer of data on their declared incomes from the country's tax authorities to its national health insurance fund.

Cambridge Associates, an Irish data protection consulting company, said in an Oct. 1 blog post that the ruling meant that data sharing between different EU public bodies should only by done on the basis of “a clear prior communication of the existence of the legal basis for the processing and the relevant controls governing the processing.”

Request Bloomberg Law Privacy and Data Security