Today the European Court of Justice (ECJ) decided in the case C-191/15 (Verein für Konsumenteninformation vs Amazon EU Sàrl). The ruling sheds light on some interesting questions with regard to consumer protection law and also assesses the European data protection rules on applicable law.
This decision is furthermore of relevance for companies providing services to users within the EU, like Facebook with its EU headquarter in Ireland. The present case concerned a so called “inner EU” situation, where the headquarters and perhaps other establishments are located in various Member States and not outside of the European Economic Area. According to EU law, each Member State is to apply the national provisions it adopts pursuant to the data protection directive to the processing of personal data where the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State. The processing of data in the context of the activities of an establishment is then governed by the law of the Member State in whose territory that establishment is situated.
The ECJ held that an establishment cannot exist merely because the undertaking’s website is accessible in a certain Member State. In this particular case, Austrian users were able to access the German website of Amazon EU. But this fact alone does not lead to the applicability of Austrian data protection law. Second, as regards the question whether the processing of personal data concerned is carried out “in the context of the activities” of that establishment, the ECJ interestingly referred only to its Weltimmo decision (C-230/14) and not to the Google Spain ruling (C-131/12). This is from my point of view of major significance because in Google Spain (which did not concern an “inner EU” situation because Google Inc. is established outside the EU), the notion of “in the context of the activities” was interpreted very broadly and the European data protection authorities already stated in their updated opinion on applicable law (Update of Opinion 8/2010, pdf) that this broad interpretation should also apply to “inner EU” situations. I think with this new ECJ decision, this view can be challenged with good reasons.
There are also right now cases pending before German courts (see my post on the ruling of the Administrative Court of Hamburg and the post on the ruling of the Higher Administrative Court of Hamburg) with regard to question of applicable data protection for Facebook and this ruling is definitely an advantage for the argumentation of Facebook that Irish data protection law applies to them.