An article by Pieter Gryffroy*
On 4 May 2016, the official text of the General Data Protection Regulation (Regulation (EU) 2016/679), replacing the former Data Protection Directive (Directive 95/46/EC), was published in the EU’s Official Journal, together with the specific new Directive on the exchange of personal information between competent authorities for the purposes of crime prevention, investigation and prosecution. Thus, the EU’s legislative data protection reform initiated in 2012 came to a successful conclusion. However, the legislator was not the only important actor creating momentum in the reform of the EU’s data protection rules. During the same timeframe, the Court of Justice adopted a particularly pro-active stance in this field, in cases such as Digital Rights Ireland, Google Spain, and Schrems. The CJEU’s activism lead to its recent case law being referred to as the CJEU’s “Privacy Spring”. In the margin of the CJEU’s “Privacy Spring” and the more famous decisions, judgment was rendered in Weltimmo and Bara on 1 October 2015, fived days before the Schrems judgment. While most commentators overlooked or ignored these cases, they provide significant clarifications on questions of EU data protection law under Directive 95/46/EC. Addressing the Weltimmo and Bara cases is long overdue, but still highly relevant. Although the General Data Protection Regulation (hereinafter: GDPR) has entered into force on 24 May 2016, it shall only apply from 25 May 2018 onwards and thus Directive 95/46/EC (hereinafter: the Directive) will remain applicable for nearly two years to come. Moreover, the CJEU’s case law will remain relevant under the GDPR as well. Therefore, this article will analyse both cases and their impact, before and after the application of the GDPR in 2018.
Weltimmo is a company registered in Slovakia that operates a real estate website for Hungarian properties. In that capacity it processes personal data of the advertisers on the website. Property owners looking to sell can obtain an advertisement on the website free of charge for the duration of one month, after which a fee is charged. Many homeowners decided to use the free part of Weltimmo’s services, but were reluctant to pay the fee. They requested Weltimmo to delete both the advertisements and their personal data they had provided after the first month had lapsed. Weltimmo refused to do this and instead charged the customers in question. The fees went unpaid and consequently, Weltimmo forwarded the personal data of the customers who were in default to debt collection agencies.
In reaction to this, the affected customers lodged a complaint with the Hungarian Data Protection Authority (further: HDPA) which considered itself competent on the basis of the statute transposing Directive 95/46/EC into Hungarian Law and fined Weltimmo approximately EUR 32.000 for its actions. Weltimmo then brought an action before the competent national court, claiming that the HDPA had no jurisdiction over it. The court rejected this reasoning but overturned the HDPA’s decision because of a lack of clarity about certain facts. Weltimmo nonetheless appealed on a point of law and argued that under Art. 4(1) of the Directive Slovakian law was applicable, which the Hungarian authority was not allowed to apply pursuant to Art. 28 (6) of the Directive. Instead, it should have asked the Slovakian authority to intervene if it considered this necessary. In the end, the Hungarian Supreme Court stayed proceedings to refer several questions to the Court of Justice (hereinafter: CJEU). In essence, the referring court asked the CJEU whether Hungarian law was applicable in the case at hand, although the company was incorporated in Slovakia, and whether the HDPA was competent to take action, applying Hungarian law. The referring court also wanted to know if the HDPA could take action, even if only limited, in case Slovakian law was deemed to be applicable.
In regards to the question whether Hungarian law is applicable, the CJEU considers the meaning of “establishment” in the sense of Art. 4 (1) a) of the Directive. That article prescribes that each MS shall apply its national rules adopted pursuant to the Directive when the processing of personal data takes place in the context of the activities of the establishment of the controller on that MS’s territory. The CJEU repeats its argumentation from the Google Spain case and states that the concept of establishment, justifying the application of EU law, “implies the effective and real exercise of activity through stable arrangements”. The legal form of those arrangements, including the place of incorporation, does not matter. Nor does the extent of the real activity. The CJEU finds that Weltimmo did pursue an effective and real activity in Hungary, since it runs a website in Hungarian, aimed at Hungarian properties, which charges fees after the introductory period of one month has lapsed. Thus, for the purposes of the Directive, it is established in Hungary. The CJEU then goes on to examine whether the processing of personal data by Weltimmo was carried out in the context of that establishment. It finds, referring to its Google Spain and Lindqvist cases, that there can be no doubt that Weltimmo’s activity of loading personal data on its Internet page must be considered as a processing of personal data in the sense of Art. 2 (d) of the Directive. Therefore, Hungarian law applies to Weltimmo’s processing of personal data and under Art. 4, read in conjunction with Art. 28 of the Directive, the HDPA is competent to act, being an organ of the Hungarian State.
Although it was not necessary in the case at hand, the CJEU also addresses the question what action the HDPA could have taken had Slovakian law been applicable. The CJEU holds that in any case, the HDPA may investigate any complaint it receives, before even knowing the applicable law. However, when the HDPA or another national data protection authority comes to the conclusion that the law of another MS is applicable, it cannot impose penalties or sanctions outside the territory of its own MS because those sanctions have their legal basis in the national law of said MS. In such a case, the national data protection authority in question has, under the duty of cooperation of Art. 28(6) of the Directive, to request the supervisory authority of the MS whose law is applicable to intervene, potentially on the basis of the information gathered by the first national data protection authority.
In the Weltimmo Case, the CJEU clearly honours the territoriality principle that underpins the system of the Directive. Following this approach, national laws provide for the precise extent of the powers of the national data protection authorities, and the jurisdictional reach is territorially limited not only because of the national nature of the laws in question, but also because of the conflicting jurisdiction of the neighbouring Members States, having their own national laws on the subject and their own supervisory data protection authorities, all based on the Directive.
The decision in Weltimmo prevents companies from escaping the harsher enforcement of one EU Member State by creating an alternate corporate reality linking them to another. In doing so, the CJEU aims to protect the right to privacy and data protection of the EU citizens dealing with such corporate actors. That companies have an interest at all in attaching themselves to the law and supervisory authority of a different MS is because at the present time not all national data protection authorities are equally active and a certain disparity in the rules transposing the Directive into national law cannot be avoided. The GDPR aims to change that in order to guarantee legal certainty and create a level playing field for competitors.
First of all, the GDPR has introduced a single set of rules, to be applied uniformly across the EU. While issues of interpretation can never be ruled out, even with regard to the same set of rules, this will eliminate the incentives and possibility for companies to artificially and strategically try to attach themselves to certain MS with either more lenient rules or, more importantly, implementation deficits due to an inactive national data protection authority. Secondly, while the GDPR does not abandon the territoriality principle in relation to competence altogether, it contains novel and inventive procedures for cooperation, mutual assistance, joint operations and a consistency mechanism. Moreover, all national data protection authorities have to present activity reports annually, which will be made public. All of this aims at ensuring consistency in the application of the regulation by the national authorities. It also seeks to encourage the national supervisory authorities to take an active stance and aims to mobilize all of them to an optimal extent. Nonetheless, differences in absolute activity levels will foreseeably remain. Ultimately, however, it is the duty of the national courts in cooperation with the CJEU (Art. 267 TFEU) to ensure the uniform interpretation of the GDPR provisions throughout the Union.
Thus, in conclusion, the Weltimmo case used the principle of territoriality to effectively address the issue that some companies might be inclined to artificially pick which national law to comply with and which national data protection authority to deal with. The GDPR will change that status quo by providing for a single set of rules, to be applied in uniformity by supervisory authorities across the EU. This should eliminate the problems present in the Weltimmo case. Nonetheless, Art. 23 GDPR permits national legislators to diverge to a considerable extent from certain of the GDPR’s provisions, including the provisions covering the situation at issue in Weltimmo. In time, incentives to artificially attach a company to a more lenient MS law will revive. At that time, the CJEU’s decision in Weltimmo might provide guidance.
The applicants in the Bara case are self-employed persons who declared their personal income to the Romanian tax authority ANAF. ANAF subsequently passed this information on to the national health insurance fund (CNAS). On the basis of that information CNAS asked the persons concerned for the payment of arrears of contributions to the fund. The applicants challenged this transfer of information based on an internal governmental protocol, which happened without their consent and without them being informed beforehand. While Romanian law provides for certain data transfers from public authorities to the fund, it does not allow information relating to the income received by a data subject to be passed on. Under these circumstances, the referring court asked the Court of Justice four questions. The three first questions were deemed inadmissible, while the 4th question had to be reformulated. In essence, the CJEU addresses the question “whether Articles 10, 11 and 13 of Directive 95/46 must be interpreted as precluding national measures […] which allow a public administrative body in a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects being informed of that transfer and processing.”
The CJEU first establishes that the case indeed concerns the processing of personal data, which, subject to the exceptions set out in Art. 13 of the Directive, must comply with the principles of data quality set out in Art. 6 and which must be justified on one of the grounds contained in Art. 7. Moreover, the data controller must also comply with Arts. 10 and 11 of the Directive. These articles provide that, subject to the exceptions in Art. 13 and Art. 11(2), the data subject must be informed about the identity of the controller of the data, the purpose of the processing and certain categories of additional information such as the recipients of the information, in as far as the data subject does not know this information already and the information is necessary to guarantee fair processing in relation to the data subject. The CJEU analyses the case both from Art. 10 (data obtained directly from the data subject) and Art. 11 (data that was not directly obtained from the data subject), i.e., from the point of view of both the ANAF and the CNAS, and comes to the same conclusion: under the provisions of the Directive, the data subjects involved should have been informed beforehand. In this context, the CJEU does not assess whether, as required by the text of the Directive, “such further information is necessary, having regard to the specific circumstances in which the data are collected/processed, to guarantee fair processing in relation to the data subject”. Instead, the CJEU simply states that the information was not previously provided and moves on to the question whether the exceptions of Art. 11(2) or Art. 13 can apply. With this reasoning the CJEU strongly implies that providing the relevant information beforehand is necessary to guarantee fair processing in all circumstances. The CJEU then observes that while Arts. 11(2) and 13 of the Directive allow Romanian law to provide for legislative exceptions to Arts. 10 and 11 of the Directive, it has failed to do so in the case at hand. Although Romanian law provides for certain transfers of personal data between public authorities, it does not do so for information related to the income of the data subject. The governmental protocol on which the transfer was based cannot be qualified as a legislative measure and accordingly, the exceptions of Arts. 11(2) and 13 of the Directive cannot be applied. Consequently, the CJEU concludes that Arts. 10, 11 and 13 of the Directive preclude national measures such as the government protocol at issue in the Bara case. While the CJEU only refers to the provision of the Directive, it is important to note that the requirement of a legislative basis for transfers of personal data flows directly from the EU Charter. First, personal data must be processed fairly, on the basis of consent of the data subject or on another ground, laid down by law (Art. 8(2), first sentence EU Charter). Second, even when personal data has initially been processed lawfully, any restriction of an EU citizen’s right to data protection must be provided by law and meet the principle of proportionality (Art. 8 read together with Art. 52(1) EU Charter). Since transferring personal data between authorities without the data subject’s consent or knowledge constitutes such a restriction, the Charter requires MS law to expressly provide for it.
The Court of Justice again takes a data protection friendly view in the Bara case, requiring the data subject to be informed beforehand in all cases where his or her personal data is being transferred, even between public authorities. Nonetheless, articles 11(2) and 13 of the Directive allow national legislators to enact rules deviating from this right to prior information. The only problem in the Bara case was that Romania had not sufficiently precisely done so. The GDPR will affect the current situation in two ways. Firstly, the GDPR confirms the CJEU’s finding that certain information must always be provided to the data subject before processing his or her personal data, such as the purpose of the processing, the legal basis, the categories of data concerned and the recipients of such data. Additionally, the data controller also has to inform the data subject of further information necessary to ensure a fair and transparent processing in respect of the data subject. Such information concerns e.g. the time for which the data will be stored, the fact that the data subject has a right of access and a right to file a complaint, and the source of the data. Secondly, while the GDPR still allows MS to deviate from the right of the data subject to be informed when his or her personal data is being collected or transmitted, it imposes stricter conditions on the national legislative measures imposing such restrictions. Thus, in conclusion, the GDPR honours the sentiment of the Bara case by imposing stricter conditions on the data controller, obliging them to provide more information to the data subject about the collection and/or transmission of his or her personal data. Additionally, any restrictions of this obligation are subjected to stricter preconditions and safeguards, in line with the requirements of the EU Charter of Fundamental Rights.
In both the Weltimmo and the Bara case, the Court of Justice took a pro-active stand, aimed at providing EU citizens with proper privacy and data protection under the current legal framework, much like it did in the more famous cases, such as Google Spain and Schrems. In Weltimmo, the CJEU ensured that companies could not avoid the law of the MS where they pursue the real activities in the context of which the personal data is processed, by artificially attaching themselves to the law and enforcement regime of another, more lenient, MS. In Bara, the CJEU protected the right of the individual data subject to be informed about the collection and/or transmission of his or her personal data, subject to specific exceptions laid down by law and not just an internal and unpublished governmental protocol. Notably, although these judgments concern interpretations of the Directive, they will remain relevant even after 25 May 2018, when the GDPR will apply. While the GDPR will change the legal situation in both cases, its provisions seeks to ensure at least an equivalent protection of personal data as envisioned by the CJEU and required by Art. 8 of the Charter of Fundamental Rights of the EU.
*Pieter Gryffroy is a reserach assistant at the Jean-Monnet-Chair of Prof. Dr. Giegerich for European Law and European Integration. He studied law in Leuven (LLB and LLM at the KU Leuven) and in Saarbrücken (Europa-Institut).
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, p. 1–88. It replaces Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281, p. 31-50.
 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, p. 89–131.
 CJEU, Joined Cases C-293/12, Digital Rights Ireland, ECLI:EU:C:2014:238.
 CJEU, Case C-131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, ECLI:EU:C:2014:317 (hereinafter: Google Spain).
 CJEU, Case C-362/14, Maximillian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650.
 See Zanfir, How CJEU’s “Privacy Spring” construed the human rights shield in the digital age, January 2015, p. 1, 10-11, available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2604895 (last accessed 15/06/2016).
 CJEU, Case C-230/14, Weltimmo s.r.o. v. Nemzeti Adatvédelmi és Információszabadság Hatóság, ECLI:EU:C:2015:639 (hereinafter: Weltimmo).
 CJEU, Case C-201/14, Smaranda Bara and Others v. Președintele Casei Naționale de Asigurări de Sănătate, Casa Naţională de Asigurări de Sănătate, Agenţia Naţională de Administrare Fiscală (ANAF), ECLI:EU:C:2015:638 (hereinafter: Bara).
 Article 99 of Regulation (EU) 2016/679.
 CJEU, Case C-230/14, Weltimmo, para. 9.
 CJEU, Case C-230/14, Weltimmo, para. 10.
 CJEU, Case C-230/14, Weltimmo, para. 11.
 CJEU, Case C-230/14, Weltimmo, para. 12.
 The CJEU also considers the factual circumstances of establishment in its preliminary observations, see CJEU, Case C-230/14, Weltimmo, para. 15-18.
 CJEU, Case C-230/14, Weltimmo, para. 28.
 CJEU, Case C-230/14, Weltimmo, para. 31.
 CJEU, Case C-230/14, Weltimmo, para. 32.
 CJEU, Case C-230/14, Weltimmo, para. 33.
 CJEU, Case C-101/01, Criminal proceedings against Bodil Lindqvist, ECLI:EU:C:2003:596.
 CJEU, Case C-230/14, Weltimmo, para. 35-38.
 See especially CJEU, Case C-230/14, Weltimmo, para. 54-60.
 CJEU, Case C-230/14, Weltimmo, para. 57.
 CJEU, Case C-230/14, Weltimmo, para. 56-57, 59.
 CJEU, Case C-230/14, Weltimmo, para. 57, 58.
 Although notably, Art. 23 does still allow MS to restrict the scope of certain provisions, disturbing the level playing field.
 See Art. 55 of Regulation (EU) 2016/679.
 See Arts. 60-76 of Regulation (EU) 2016/679.
 See Art. 59 of Regulation (EU) 2016/679.
 Although it should be noted than in such a scenario, Art. 4 of the Directive will no longer exist as a legal ground, expressly providing that the law of a MS applies to the processing of personal data by a controller in the context of an establishment on that MS’s territory. The GDPR does not contain an express provision on the territorial nexus to be applied in determining the applicable diverging MS law under the GDPR.
 CJEU, Case C-201/14, Bara, para. 14.
 CJEU, Case C-201/14, Bara, para. 15.
 CJEU, Case C-201/14, Bara, para. 16.
 CJEU, Case C-201/14, Bara, para. 18-28.
 CJEU, Case C-201/14, Bara, para. 28.
 CJEU, Case C-201/14, Bara, para. 28-30.
 Read Arts. 10 and 11 of the Directive; CJEU, Case C-201/14, Bara, para. 31 and following.
 CJEU, Case C-201/14, Bara, para. 32-34 and 42-43.
 Art. 10/11 of the Directive respectively.
 CJEU, Case C-201/14, Bara, para. 35 q. and 44 q.
 CJEU, Case C-201/14, Bara, para. 36-41 and 45.
 See Arts. 13(1) and 14(1) of Regulation (EU) 2016/679; subject to the exceptions in Arts. 13(4) and 14(5) of the regulation.
 See Arts. 13(2) and 14(2) of Regulation (EU) 2016/679; subject to the exceptions in Arts. 13(4) and 14(5) of the regulation.
 See Art. 23 of Regulation (EU) 2016/679; the justifying grounds however stay the same.
Copyright of the image: Defense Advanced Research Projects Agency (DARPA), https://commons.wikimedia.org/wiki/File:DARPA_Big_Data.jpg?uselang=de.