• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

Far-reaching implications for multinational companies following landmark data protection ruling by CJEU

The CJEU has ruled that national data protection authorities may enforce national law against companies with ‘real and effective’ activity in their territory, even if the company is registered in another Member State.

The decision in Weltimmo1 will have far-reaching implications for companies that operate across multiple jurisdictions, meaning that international and online businesses may need to rethink their structures and strategy or face significant legal hurdles. Article 4(1) (a) of Directive 95/46/EC (the ‘Data Protection Directive’ or ‘DPD’)2  provides: ‘1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable. ’Article 28 of the DPD further provides that each Member State’s data protection authority (‘DPA’)must have powers of investigation, intervention and enforcement, and that a DPA is competent to exercise such powers in its own territory ‘whatever the national law applicable to the processing in question.’ National DPAs also have a duty to cooperate ‘to the extent necessary for the performance of their duties.’

Facts

Weltimmo s.r.o. is a company registered in Slovakia that runs a website dealing in Hungarian properties and processes the personal data of its advertisers. Weltimmo offers free advertising for a period of one month, after which the advertisers must pay a fee. Many of Weltimmo’s advertisers sent emails requesting that their advertisements and their personal data were deleted after this free initial period, but Weltimmo did not do so and charged the advertisers for its services. When the advertisers did not pay the amounts charged, Weltimmo passed the advertisers’ personal data to debt collection agencies. The advertisers complained to the Hungarian DPA, which found that Weltimmo had breached Hungarian data protection law and imposed a fine of HUF 10 million. Weltimmo appealed the fine in the Budapest administrative and labour court, arguing that its lack of a registered office or branch in Hungary meant that the Hungarian DPA was not competent to bring enforcement action. The court disagreed with this argument, but set aside DPA’s decision on the grounds that some of the facts were unclear. Weltimmo appealed this decision on a point of law, claiming that the facts were immaterial, that the Hungarian DPA lacked competency under Article 4(1) (a) of the DPD as Weltimmo was established in a different Member State. The Hungarian DPA argued Weltimmo’s representative in Hungary was sufficient to demonstrate its ‘establishment’ there, and that in any event, the DPA was competent to act under Article 28 of the DPD regardless of the applicable law. The Hungarian Kúria (Supreme Court) had reservations over the interpretation of the DPD and the determination of applicable law so referred the issue to the CJEU for a preliminary ruling.

Issues to be decided

The questions referred by the Hungarian Supreme Court centred on the interpretation of the concept of ‘establishment’ for the purposes of the DPD. In particular, the CJEU was asked to decide whether, in the context of Weltimmo’s situation, articles 4(1)(a) and 28 would permit the Hungarian DPA to apply Hungarian law to Weltimmo despite Weltimmo’s corporate base being in Slovakia. The CJEU was also asked to determine what factors would be significant in deciding where Weltimmo is ‘established’ for data protection purposes. As preliminary observations, the Court noted the Hungarian DPA’s submissions that Weltimmo “did not carry out any activity” in Slovakia, and that although Weltimmo was ‘established’ in Slovakia from a company law perspective, the word did not necessarily have the same meaning for the purposes of the DPD. The Hungarian DPA also submitted that Weltimmo’s websites were written solely in Hungarian, and that the company had a Hungarian bank account and used a Hungarian post box. Further, Weltimmo had representative in Hungary.

Judgment

The CJEU held that the national law applicable to a controller inrespect of processing should be determined under Article 4, whilst Article 28 applies to determine the powers and responsibilities of DPAs. The questions to be decided were therefore:

1. Whether Weltimmo was ‘established’ in Hungary under the language of Article 4; and, if so,

2. whether the data processing at issue was ‘in the context of the activities’ of that establishment.

The CJEU began by noting that the purpose of the DPD was to provide ‘effective and complete protection of the fundamental rights and freedoms of natural persons,’ and that, following the Google Spain case (C-131/12), the words ‘in the context of an establishment’ should be interpreted broadly. In considering this the Court referred to Recital 19of the preamble to the DPD, which provides: ‘establishment in the territory of a Member State implies the effective and real exercise of activity through stable arrangements; whereas the legal form of such an establishment, whether simply branch or subsidiary with a legal personality, is not the determining factor in this respect […].’The Court also noted that the Opinion of the Advocate General emphasised that the concept of ‘establishment’ is flexible, and that the question of whether a data controller is ‘established’ in a Member State other than the one in which it is registered will need to be considered in the context of that company’s economic activities, “[particularly] for undertakings offering services exclusively over the Internet.” In answering the first question, the Court found that the concept of ‘establishment’ extends to ‘any real and effective activity,’ even if minimal, and that the presence of a single representative in a Member State may constitute a stable arrangement “if that representative acts with a sufficient degree of stability […] for the provision of the specific services” in that Member State. The Court held tha tWeltimmo’s website was undoubtedly a ‘real and effective activity,’ and that Weltimmo’s Hungarian representative, bank account and post box, if proven in the national courts, would suffice to prove Weltimmo’s ‘establishment’ in Hungary.

In relation to the second question, the Court found that there was “no doubt” that the processing of the advertisers’ personal data (i.e. uploading it to Weltimmo’s website and forwarding it to debt collectors) was “in the context of [Weltimmo’s] activities.”

Commentary

The immediate takeaway from Weltimmo is that companies with operations in more than one Member State may find themselves facing a raft of different national data protection laws. Data controllers will be subject to the national laws of the Member States in which they are ‘established,’ and following on the same course as the Google Spain decision, the CJEU has emphasised that the question of ‘establishment’ should be considered contextually rather than formalistically, and the DPD should be interpreted purposively to give as much protection to natural persons as possible. This creates uncertainty for businesses -especially for online businesses which have a small presence in a number of jurisdictions. The Weltimmo decision has demonstrated that a minimal presence may be sufficient for a DPA’s enforcement powers to bite, but has not made it clear where the line will be drawn: how minimal must a business’s presence be to avoid being subject to local regulation? The lack of clarity here will make it difficult for businesses to feel confident in their compliance practices without attempting to follow local law to the letter in every jurisdiction in which they operate, which will be a regulatory minefield and a commercial impossibility. Weltimmo is also a significant departure from the ‘one-stop shop’ ethos, which has been gathering momentum under the proposed General Data Protection Regulation (‘GDPR’): rather than the certainty of a single regulator, businesses may face the administrative burden of enforcement action across Europe. This would be less onerous if European data protection law did not vary so much in practice, but Weltimmo leads to a situation in which single companies may be subject to numerous regulatory frameworks. This case - together with the recent decision in Schrems – also illustrates the tension between the need for European institutions to protect the use of personal data and the necessity that they create a practical legal framework that will allow for the free movement of goods and services. Whilst a broad and purposive interpretation of legislation may offer the best protection to those individuals whose issues end up before the CJEU, it also has its downsides. It should be questioned whether increasing confusion surrounding European data protection law may lead to businesses lacking certainty over exactly what national laws they should comply with and consumers being less well protected overall (That said, the difficulty presented by pan-European variations in data protection law may be less of an issue once the GDPR has introduced more conformity).It should also be noted that this was a preliminary ruling, so the CJEU has not ruled that Weltimmo was in fact established in Hungary- that remains a question for the Hungarian courts to decide. The CJEU’s ruling has provided guidance on the interpretation of European law, and has clarified that the facts submitted by the Hungarian DPA may, if found to be true, lead to a valid finding of establishment.

For more information, please contact Nicola Fulford, Head of Data Protection & Privacy.

This article was originally published in the E-commerce Law Reports October 2015 edition. 

1.http://curia.europa.eu/juris/document/document.jsftext=&docid=168944&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=317949

2. http://ec.europa.eu/justice/policies/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf

Contact our experts for further advice

TomĀ Sutherland