EU data protection ruling affects jurisdiction-neutral online service providers, says expert

Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said the ruling, by the Court of Justice of the EU (CJEU), confirms EU-based online platforms have an element of freedom over the way they can attract business from consumers from across the rest of the trading bloc.

In its new judgment, in a case involving online retail giant Amazon, the CJEU said that businesses with an establishment in an EU country will not necessarily be subject to the data protection laws of another country in which consumers it sells to are based "merely" because they have a website that is accessible in that country.

The CJEU also confirmed an earlier ruling in which it said that EU-based companies do not have to have physical premises in another EU country to be said to have an 'establishment' in that jurisdiction.

"While the fact that the undertaking responsible for the data processing does not have a branch or subsidiary in a member state does not preclude it from having an establishment there within the meaning of [the EU's Data Protection Directive], such an establishment cannot exist merely because the undertaking’s website is accessible there," the CJEU said.

The EU's Data Protection Directive states that where personal data processing is carried out by a data controller with an establishment in an EU country then the processing must adhere to the national data protection laws of that country. The Directive makes clear that organisations based in multiple EU countries must abide by each of the different data protection regimes with respect to their personal data processing in those countries.

Businesses that do not have an office in the EU can also fall subject to the Directive, however.

Where a data controller does not have an establishment in the EU but "makes use of equipment" in an EU country to process personal data then the national data protection laws of that EU country apply to that processing. This is unless the equipment is "used only for purposes of transit through" the EU.

In the case before it, the CJEU was asked by a court in Austria for help in determining whether Luxembourg-based Amazon, which attracts sales in Austria via a German website, is subject to Austrian data protection laws.

The question, posed by Austria's Supreme Court, is relevant to a broader dispute between Austrian consumer group VKI and Amazon over the fairness of the retailer's consumer terms and conditions. The Austrian courts have been assessing whether the fairness of those terms can be assessed in line with Austrian laws or whether the laws of other EU countries govern the arrangements. Some of Amazon's terms and conditions relate to its processing of consumers' personal data.

In assessing the jurisdictional points relating to the data protection issues in the case, the CJEU referenced criteria it outlined in a ruling last year for working out whether a company based in one EU country will be subject to data protection laws in another.

The CJEU said: "The processing of personal data carried out by an undertaking engaged in electronic commerce is governed by the law of the member state to which that undertaking directs its activities, if it is shown that the undertaking carries out the data processing in question in the context of the activities of an establishment situated in that member state. It is for the national court to ascertain whether that is the case."

In its 2015 judgment the CJEU had said that "the concept of ‘establishment’, within the meaning of [the Data Protection Directive], extends to any real and effective activity – even a minimal one – exercised through stable arrangements".

Wynn said: "The ruling offers welcome clarification on the application of data protection rules to businesses with an establishment in the EU that transact with consumers based across multiple countries within the trading bloc. In particular affects online technology companies that provide jurisdictionally-neutral services."

"The ruling confirms that such businesses will not become subject to data protection laws in other EU countries just because they operate websites in popular languages, like English or German, which can attract custom from people based in different EU countries from the ones they are based in," she said.

Wynn said, though, that the CJEU's ruling must be read in conjunction with a previous judgment of the court in a case involving another tech company which considered data processing in the context of the activities of an 'establishment' under the Data Protection Directive.

Wynn said: "In the context of this latest ruling, I would query in what circumstances the overt targeting of services at consumers in another EU country through a website may ever be sufficient, on its own, to constitute having an 'establishment' in that country such that the business would be subject to the local data protection regime."

A new General Data Protection Regulation will replace the existing Data Protection Directive in May 2018. Unlike the Directive, which has been implemented in different ways into national legislation by each EU country, the new Regulation will apply a single set of data protection rules across the EU.