Case law on establishment under the European Data Protection Directive
Published 19 April 2016
Where a data controller is operating in different member states, it raises the question of whether companies need to comply with only one EU national data protection law or with the laws of all member states in which they have a relevant 'establishment' within the meaning of Article 4(1)(a) of the European Directive 95/46/EC ("Directive").
A woman complained to the Hamburg Data Protection Authority (the "DPA") against Facebook for changing her chosen username from that of a pseudonym to her real name. The DPA found that Facebook could not change users' chosen usernames to their real names as German data protection law provides a right to a pseudonymised online profile (the "Order"). However, the Administrative Court of Hamburg recently overturned the Order and held that Irish data protection law applied irrespective of there being a Facebook office in Germany (the "Ruling"). In its Ruling, the business operations of Facebook Ireland and Facebook Germany both constituted 'establishments' within the meaning of the Directive. However it was held to be the law of the member state in which the disputed data processing is most closely associated with that applied. In this case, the laws of Ireland were held to be applicable on the basis that Facebook's European headquarters were in Ireland.
The Ruling indicates that Article 4(1)(a) of the Directive can be interpreted so that multi-national companies, such as Facebook, may avoid having to comply with conflicting national data protection laws of all applicable member states. It should be noted however, that the Ruling does contrast with the Weltimmo decision in which a broad interpretation of 'establishment' was taken i.e. if a data controller exercises "a real and effective activity – even a minimal one [through] stable arrangements" in a member state there will be an establishment.
The GDPR, when in force, will replace the Directive, and will have limited scope for deviations under national laws, therefore removing the issue of the conflicting laws in different member states. The GDPR also advocates a 'one-stop-shop' whereby the supervisory authority for the main establishment of the data controller will be the lead authority on ensuring compliance by that company throughout the EU. Whilst it is unclear as to how the 'one-stop-shop' will work in practice, this promise of greater clarity will be welcomed by companies operating across the EU.
Organisations should bear in mind that under the current European regime the relevant data protection laws will be those of the member state with which the data processing is most closely associated, which may not always be where the data subject, or indeed an establishment, is located.
To read the text of the Ruling, please click here. (German)
To read the press release on the Ruling from the DPA, please click here.
Submitted by Rhiannon Webster , Partner and Shehana Cameron-Perera, Trainee Solicitor