On 28 July 2016 the European Court of Justice issued its judgment (C-191/15) in a case brought by an Austrian consumer organisation against Amazon EU concerning its terms and conditions regarding processing of personal data. The Court ruled – in line with previous case law – that the data protection law of another Member State applies to an e commerce business if the processing of personal data is done in the context of the activities of the establishment of that business in that Member State.
What were the underlying facts?
Amazon EU is a company established in Luxembourg. It has no subsidiary or branch in Austria, but targets consumers in Austria through its website amazon.de. In its general terms and conditions, Amazon EU states that it may process personal data of customers (such as product reviews) and chooses Luxembourg law as the applicable law.
An Austrian consumer organisation filed a complaint about these terms and conditions, on the basis that they were prohibited by law and incompatible with good commercial practices.
What exactly did the court decide?
The Court of Justice ruled on the question whether an e-commerce company which enters into contracts with consumers in another Member State has to take into account solely the data protection law of the Member State where it is established (Luxembourg for Amazon EU), or if it also has to take into account the law of Member States to which it directs its activities (for Amazon EU also Austria and/or Germany).
According to the Court, the latter is the case. The Court referred to its Weltimmo case law (C 230/14) and ruled that:
- the fact that a company does not have a subsidiary or a branch in another Member State does not preclude it from having an establishment in that Member State within the meaning of data protection law;
- this establishment refers to any real and effective activity – even if minimal – exercised through stable arrangements;
- both the degree of stability of the arrangements and the effective exercise of activities in that other Member State must be interpreted in the light of the specific nature of the economic activities and the provision of services concerned;
- the activities do not have to be performed "by" the establishment itself, but only "in the context of the activities" of the establishment; and
- an establishment does not exist on the basis of the mere fact that a website of a company is accessible in a Member State.
Whether or not this was the case for Amazon EU needs to be answered by the national courts.
How is this judgment relevant to your enterprise?
Two important lessons follow from the above:
- e-Commerce companies operating across European borders do not, in principle, have to fear that data protection laws of all Member States where its website is merely accessible will apply.
- The absence of a subsidiary or a branch in a Member State is often not a valid excuse for failing to apply the data protection law of that State.