Today the European Court of Justice (ECJ) decided in the case C-191/15 (Verein für Konsumenteninformation vs Amazon EU Sàrl). The ruling sheds light on some interesting questions with regard to consumer protection law and also assesses the European data protection rules on applicable law.
With regard to consumer protection, the case concerned potentially unfair terms in the terms of use of Amazon EU, a company established in Luxembourg. The ECJ clarified that the law applicable to the examination of the unfairness of terms in consumer contracts which are the subject of an action for an injunction (in this case by Verein für Konsumenteninformation) must be determined independently from the law applicable to the action of injunction itself. National courts might therefore face a situation where they would have to assess the unfairness of certain clauses in terms of use on the basis of the law of another Member State. This result is though not entirely surprising but is now affirmed by the ECJ in a case considering e-commerce.
With regard to the question of applicable data protection law, the ECJ clarified on the one hand, that one cannot freely choose the applicable data protection law in a contract or terms of use. Especially in Germany this was in the past a disputed question and many courts were (from my point of view wrongfully, which was no confirmed) of an opposing view.
This decision is furthermore of relevance for companies providing services to users within the EU, like Facebook with its EU headquarter in Ireland. The present case concerned a so called “inner EU” situation, where the headquarters and perhaps other establishments are located in various Member States and not outside of the European Economic Area. According to EU law, each Member State is to apply the national provisions it adopts pursuant to the data protection directive to the processing of personal data where the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State. The processing of data in the context of the activities of an establishment is then governed by the law of the Member State in whose territory that establishment is situated.
The ECJ held that an establishment cannot exist merely because the undertaking’s website is accessible in a certain Member State. In this particular case, Austrian users were able to access the German website of Amazon EU. But this fact alone does not lead to the applicability of Austrian data protection law. Second, as regards the question whether the processing of personal data concerned is carried out “in the context of the activities” of that establishment, the ECJ interestingly referred only to its Weltimmo decision (C-230/14) and not to the Google Spain ruling (C-131/12). This is from my point of view of major significance because in Google Spain (which did not concern an “inner EU” situation because Google Inc. is established outside the EU), the notion of “in the context of the activities” was interpreted very broadly and the European data protection authorities already stated in their updated opinion on applicable law (Update of Opinion 8/2010, pdf) that this broad interpretation should also apply to “inner EU” situations. I think with this new ECJ decision, this view can be challenged with good reasons.
There are also right now cases pending before German courts (see my post on the ruling of the Administrative Court of Hamburg and the post on the ruling of the Higher Administrative Court of Hamburg) with regard to question of applicable data protection for Facebook and this ruling is definitely an advantage for the argumentation of Facebook that Irish data protection law applies to them.