The Article 29 Working Party's guidance (12-page / 342KB PDF) is the watchdog's latest attempt to clarify the circumstances in which national data protection laws apply to businesses that have more than one establishment in the EU.
The Working Party, which is a committee made of up representatives from the 28 national data protection authorities within the EU, said EU data protection laws do not "create a 'one-stop-shop' whereby it would only be the law of the member state of the 'EU headquarters' that would apply to all processing of personal data throughout the EU". A complex 'one-stop-shop' system of regulation is envisaged under the planned new General Data Protection Regulation (GDPR). The GDPR will replace the existing Data Protection Directive when it comes into force.
"Whenever there is an establishment in any EU country, it has to be assessed in each case whether any particular processing activity is carried out in the context of the activities of that establishment," the Working Party said. "It is not at all uncommon that a company headquartered in one EU member state and having operations in multiple EU member states would need to comply with the laws of each of these member states (perhaps in respect of different parts of its processing operations)."
"To illustrate, a bank headquartered in one member state but offering retail banking services and operating a large number of branch offices throughout the EU must comply with each of these local laws. What applies in the off-line, bricks-and-mortar world, must also apply in the digital world. The contrary could risk encouraging all businesses that are sufficiently mobile, such as many engaged in doing business online, to engage in forum shopping. In turn, this could encourage a regulatory race to the bottom when it comes to data protection," it said.
A ruling by the EU's highest court, the Court of Justice of the EU (CJEU), in October last year also offered guidance to companies on when they might be said to be subject to multiple data protection regimes within the EU.
The Working Party's guidance also explained how EU data protection laws can apply to non-EU based companies, even if they process personal data outside of the EU. In this context the guidance expands on a 2014 case involving internet giant Google in which the CJEU ruled that Google was subject to Spanish data protection laws despite the company not processing any personal data in the country. The CJEU assessed the fact that Google had a Spanish subsidiary based in Madrid that promoted and sold advertising space for its search service when arriving at its decision.
"The key point is that even if the local establishment is not involved in any direct way in the processing of data … the activities of that local subsidiary may still bring the data processing within the scope of EU data protection law, as long as there is an 'inextricable link' between the activities of the local establishment and the data processing," the Working Party said.
In its guidance the Working Party said that although there needs to be an "economic link between the activities of the local establishment and the data processing activities" for those separate operations to be said to be inextricably linked, the economic link between those operations does not need to be "particularly direct".
It said an assessment of the link between personal data processing activities and other activities a company is involved in should happen on a case-by-case basis to determine whether EU data protection laws apply and, equally, whether more than one of the national laws apply to organisations.
The Working Party's guidance offered some clues to businesses on the kinds of business models that EU privacy watchdogs might view as triggering obligations to comply with EU data protection law.
"Companies have many ways to organise themselves and different business models exist," the Working Party said. "Each scenario must be assessed on its own merits, taking into account the specific facts of the case. It would be a mistake to read the CJEU ruling too broadly, and conclude that any and all establishments with the remotest links to the data processing activities will trigger application of EU law. It would be equally wrong to read the judgement too restrictively, and merely to apply it to the specific business model of search engine operators."
"Depending on the facts of the case and the role which the local establishment plays, the judgement may apply to other non-EU companies whose business model relies on offering 'free services' within the EU, which are then financed by making use of the personal data collected from the users (such as for advertising purposes). Further … it cannot be ruled out that the activities of companies operating under other business models can also fall within the scope of EU law: the activities of foreign companies offering their services in the EU in exchange for membership fees or subscriptions, for example. This may even include organisations seeking donations - where this is done within the context of one or more establishments in the EU," it said.
The guidance also confirmed that, for the purposes of EU law, a company does not necessarily have to have any establishment in the EU to still be held subject to EU data protection laws. It said that "using a national domain name [for example those rooted at '.co.uk' or '.de'] and/or using robots to collect information from European websites" could be construed as using equipment to process personal data, and therefore fall within the scope of the EU rules.
Kuan Hon, consultant lawyer to Pinsent Masons, the law firm behind Out-Law.com, said that the CJEU’s judgment in the Google Spain case and the Working Party’s latest guidance shows the potential for EU data protection laws to “pierce the corporate veil”.
“The case law and guidance confirm that if an organisation based outside the European Economic Area (EEA) sets up a subsidiary within the EEA then that non-EEA entity may itself become directly exposed to EEA data protection laws,” Hon said. “This could deter non-EEA organisations not otherwise subject to EEA data protection laws from setting up EEA subsidiaries as well as branches. The 'equipment' jurisdictional ground, which is very broad, may even deter them from using data centres based in the EEA for their personal data processing.”