On 2 June 2016, the EU Court of Justice's ("CJEU") Advocate General issued an opinion on the applicability of national data protection laws in Verein für Konsumenteninformation v. Amazon EU Sàrl (Case C-191/15) (the "Opinion").
In the case at hand, Verein für Konsumenteninformation, a consumer protection association established in Austria, brought an action before the Austrian courts seeking an injunction to prohibit the use by Amazon EU Sàrl ("Amazon EU"), an e-commerce company based in Luxembourg, of allegedly unfair terms in its general conditions of sale in respect to consumers residing in Austria. In particular, one of the contractual clauses foreseen in the contracts provided that, in case of payment on invoice and in various other cases, Amazon.de could verify and evaluate the personal data of customers and exchange such data with other companies within the Amazon group, with the office of economic information and, where appropriate, with the company Bürgel Wirtschaftsinformationen GmbH.
In this context, the Austrian Supreme Court referred to the CJEU for a preliminary ruling a question on the interpretation of Article 4 (1)(a) of Directive 95/46 of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("the Directive") which provides that:
"1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:
(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;"
In particular, the Austrian Supreme Court sought to clarify which national law transposing the Directive should apply to the processing of personal data by an undertaking that in the course of electronic commerce concludes contracts with consumers residing in other Member States. More specifically, the Austrian Supreme Court asked whether the processing of personal data should be governed exclusively by the law of the Member State in whose territory the undertaking processing the data has its establishment, or whether such undertaking would also be required to comply with the data protection rules issued by the Member States to which it directs its business activity.
The Opinion starts by clarifying that Article 4(1)(a) of the Directive must be interpreted as meaning that a personal data processing operation may only be governed by the law of one single Member State. The Member State whose law should apply is the Member State in which the controller has its establishment in the sense clarified by the CJEU in the Weltimmo case (C-230/14) (See VBB on Belgian Business Law, Volume 2015, No. 11, p. 10, available at www.vbb.com).i.e., an establishment where a controller exercises a "real and effective activity through stable arrangements", in the context of the activities of which the data processing is carried out.
In making a determination of an establishment, the Opinion notes that the fact that Amazon contacts and contracts customers through its website in German does not in itself determine the existence of an establishment in Austria, nor is this implied by the mere offer of post-sale services to customers in Austria.
Moreover, in the Advocate General's view, the broad interpretation of establishment adopted in the Google Spain case (C-131/12) (See, VBB on Belgian Business Law, Volume 2014, No. 5, p. 6, available at www.vbb.com) in which the CJEU considered that the activities of the operator of a search engine based in the United States and the activities of promotion and provision of an advertising space in its establishment in Spain were "inextricably linked" thereby concluding that the Spanish entity was a relevant establishment, as a result of which Spanish data protection law applied, is not applicable. The Advocate General is of the opinion that the Google Spain case must be distinguished from the present case. The former related to the question of whether or not EU law would apply at all to the processing, whereas the present case seeks to establish whether more than one national implementing law would apply cumulatively to the same processing operation.
The Opinion further suggests that the data processing operations foreseen in the contractual clauses at hand could be linked to the activities of a potential establishment of Amazon EU in Germany. According to the Advocate General, this could be argued because of the fact that it is through a website with a German domain name "www.amazon.de" that Amazon EU establishes relations with Austrian customers. Moreover, clause 6 of the general conditions of Amazon EU states that "Amazon.de" verifies, evaluates and exchanges - that is to say processes – customer's personal data. In light of such considerations, the applicability of a single national law, i.e., German law, could be considered.
It will however be for the national court to make a factual assessment on whether Amazon has an establishment in Germany or in Austria.
It now remains to be seen whether the CJEU will follow the Advocate General's Opinion.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.