On 25 June 2015, Advocate General Pedro Cruz Villalón (the "Advocate General") delivered his opinion on the law applicable to the processing of personal data and on the competent supervisory authority, under Directive 95/46/CE of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "Data Protection Directive"). The opinion was given in a case pitting Weltimmo s.r.o. ("Weltimmo"), a firm established in Slovakia, against the Hungarian supervisory authority (Case C-230/14).

Weltimmo has its seat of incorporation in Slovakia and operates a website of real estate intermediaries which publishes advertisements of real property located in Hungary. These advertisements are free only for the first month, and several advertisers who did not wish to pay for subsequent months requested Weltimmo to remove their advertisement and erase their personal data. Weltimmo ignored these requests and issued invoices for its services. When the invoices were left unpaid, it proceeded to communicate the advertisers' personal data to collecting agencies. Following complaints from the advertisers, the Hungarian supervisory authority considered that Hungarian law applied and imposed a fine. Before the Kúria (Hungarian Supreme Court), Weltimmo challenged the application of Hungarian law and claimed that the Slovakian supervisory authority was solely competent. The Hungarian supervisory put forward that Weltimmo had a "Hungarian contact person" and that many of its owners resided in Hungary. It also claimed that, regardless of applicable law, Article 28(6) of the Data Protection Directive creates a competence in its favour. The Kúria stayed the proceedings to request a preliminary ruling from the Court of Justice of the European Union ("ECJ").

In his Opinion, the Advocate General distinguished the issue of the law applicable to the data processing from the question of the competent supervisory authority.

Applicable law

First, the Advocate General addressed the applicable law. Article 4(1)(a) of the Data Protection Directive provides that "each Member shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where: (a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State". The Advocate General noted that this provision fulfils a double function. It allows the application of EU law via the law of a Member State to data processing that occurs in third countries, provided such processing is carried out in the context of activities of an establishment located in the EU. This was the case in Google Spain and Google (See VBB on Belgian Business Law, Volume 2014, No. 5, p. 6, available at www.vbb.com). But it also operates as a conflict of law rule for deciding between legislations of different Member States. The Advocate General held that only this second function was relevant to the case at hand.

According to the Advocate General, the key issue was whether Weltimmo had an establishment on the territory of Hungary. The Advocate General held that recital 19 of the Data Protection Directive enshrines a flexible interpretation of the notion, because: (i) it introduces a criterion of effectivity and an element of permanency by providing that "establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements"; and (ii) it demonstrates great flexibility by stating that "the legal form of such an establishment [...] is not the determining factor in this respect". Moreover, the specific objective of the Data Protection Directive is defined in Article 1(1) as "protect[ing] the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data".

The Advocate General considered that this implied that the degree of stability of the installation and the reality of activities must be assessed with regard to the specific nature of economic activities. For companies operating exclusively through the Internet, the Advocate General held that their economic model causes the notion of permanent physical installation to be relative and lowers the intensity of the human and material factors required. He concluded that a single agent could suffice to consider that there is a stable installation, if that agent acts with a sufficient degree of stability due to the presence in the Member State in question of means necessary to provide concrete services. Thus, although Weltimmo is formally registered in Slovakia, nothing rules out that it effectively and genuinely pursues its activities in Hungary through an establishment.

Jurisdiction

Second, the Advocate General focused on the question of whether the supervisory authority of a Member State is competent when the law of another Member State is applicable, pointing out that this issue only becomes relevant if the Kúria considers that Weltimmo is established exclusively in Slovakia. In answering the question, the Advocate General tried to reconcile the objectives of the Directive with the principles governing the actions of administrative supervisory authorities.

On the one hand, the effective application of the Data Protection Directive requires that the local authority be able to conduct an investigation and adopt certain measures, even before having determined applicable law. Moreover, Article 28(4) of the Data Protection Directive obliges supervisory authorities to hear claims by any person relating to the protection of his rights and freedoms in regard to the processing of personal data. Thus, even if the applicable law is that of another Member State, other connecting factors may imply that a supervisory authority is competent to a certain extent.

The Advocate General added, however, that the exercise of powers under public law must respect the requirements arising from the territorial sovereignty of States, the principle of legality and the rule of law. In particular, repressive power cannot be exercised outside the legal limits within which an administrative authority is empowered to act in line with its national law. Departure from these rules requires a specific legal basis delineating the application of public law of another Member State, which meets the criterion of foreseeability. According to the Advocate General, Article 28 of the Data Protection Directive does not offer a sufficient legal basis in this regard. Instead, the necessary cooperation between different supervisory authorities set out in Article 28(6) entails that the local supervisory authority must request the supervisory authority of the Member State whose law applies to find a potential infringement and if necessary impose penalties (on the basis of the information collected and transmitted by the authority of the first Member State).

The Advocate General concluded that although a local supervisory authority may exercise the set of powers granted by Article 28(3) of the Data Protection Directive which defines the powers of the national data protection authorities and provides that an appeal against a decision of the authorities can be brought before the national courts. Nevertheless, the Advocate General also maintained that the supervisory authority of the Member State whose law applies is exclusively competent for penalising infringements concerning data processing on its territory.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.