Insights
Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.
Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.
Data Protection: Establishing the establishment
In a case concerning Amazon, the CJEU confirms that there is a low threshold to find an “establishment” in a member state, so that national data protection laws apply.
The Court of Justice of the European Union (CJEU) has reaffirmed its previous decisions on the meaning of “establishment” in the context of processing personal data within a Member State. The decision is of particular relevance to organisations, which collect and process personal data online.
Background
In the recent case of Verein fur Konsumenteninformation v Amazon EU Sarl (Case C-191/15), the CJEU was asked by an Austrian consumer rights group to consider whether Amazon, with its registered offices in Luxembourg, amounted to an establishment in Austria when selling goods through its Amazon.de website to consumers in Austria. The importance of the interpretation of establishment originates in Article 4(1)(a) of the Data Protection Directive (95/46/EC, Directive). The Directive states that where a data controller has an establishment in another Member State, which, in the context of its activities, carries out data processing, the data controller must ensure that the establishment complies with national law within the Member State in which it is processing data.
Accordingly, if Amazon’s e-commerce activities in Austria were considered to be carried out by an establishment under the Directive, Amazon would be obliged to comply with Austrian data protection law when processing personal data. In this case, Amazon argued that Luxembourgish data protection law applied, as was stated in its unilaterally imposed standard terms and conditions.
Decision in Amazon
The CJEU confirmed the guidance it gave in Weltimmo s.r.o. v Nemzeti Adatvedelmi es Informacioszabadsag Hatosag (Case C-230/14 – Weltimmo), reaffirming that the concept of establishment includes any “real and effective activity, even a minimal one, exercised through stable arrangements”. Regarding whether or not Amazon’s e-commerce activities amounted to an establishment in Austria, the CJEU referred the case back to the national court. It will therefore be for the Austrian national courts to determine if data processing is being carried out in the context of activities of establishments within its jurisdiction.
WAB Comment
What does this mean for data controllers?
Many multinational organisations engaging in online business in the EU elect a single data controller in one Member State then treat any websites processing personal data within the EEA on their behalf as data processors. However, businesses following this approach should consider whether such websites could be deemed establishments by the relevant national courts, resulting in national law being applicable to the data processing activities. The judgment in Weltimmo gives guidance that merely having a website accessible in a Member State would not amount to an establishment, whereas having a physical branch would. Member States’ national courts are now therefore left to decide whether the grey area of an e-commerce website, which collects and processes user data, is an establishment whose processing activities should therefore be subject to national laws.
How will the law change under the GDPR?
Whilst the current Directive is applicable to all 28 Member States through implementation in national laws, some national laws are stricter than others and compliance requirements vary. For example, notification requirements to data protection authorities and security breach reporting requirements differ between Member States and getting this wrong could result in a fine or penalty from a data protection regulatory authority. This is why it is so crucial that data controllers and data processors know which laws they are subject to.
That said, the new EU General Data Protection Regulation (GDPR), which will take effect on 25 May 2018, will directly apply to all Member States, thereby harmonising data protection law across the EEA and in principle, reducing the variation in laws between Member States. See our other articles on the GDPR here. As the GDPR takes a similar approach to the current Directive regarding the establishment test, any decisions handed down now regarding the meaning of establishment should provide helpful guidance for when the GDPR comes into effect.
This blog post was written by Amelia Day, Trainee Solicitor at White & Black.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.