EU data law
Engine trouble – what the ECJ's Google ruling means for non-EU businesses
In 2014, the European Court of Justice (ECJ) ruled that search-engine providers may be required under EU data protection law to delete search results that reveal information about individuals (often referred to as the ‘right to be forgotten’).
The ruling was made following a complaint by a Spanish man to Spain’s data protection agency that the appearance on Google of an auction notice for his repossessed house was an infringement of his privacy.
But while the effect of the ruling on search engines has been much discussed, another (so far scarcely noticed) aspect of the case (C 131/12) concerns the scope of EU data protection law and how it could apply to any cross-border group company.
Application of EU data protection law to third-country companies
Companies from so-called third countries (ie those not located in the EU) may have to comply with EU data protection law if they have an establishment (ie a branch office) in a member state or if they collect personal data in the EU.
According to court decisions, the branch office has to have a significant impact on the data processing of the non-EU parent company (cf. Superior Court of Justice Berlin, case 5 U 42/12 on Facebook's ‘tell-a-friend function’, dated 24 January 2014). If this requirement is not met, EU data protection laws do not apply.
New legal situation
The ECJ’s decision extends the concept of an establishment to include any subsidiary dealing with marketing activities in a member state that support the sales of the group’s parent company in the EU.
These subsidiaries can now also trigger domestic EU data protection laws even if the subsidiary is not involved in any of the parent company’s data processing.
What constitutes ‘data collection’?
While third-country companies may be affected by EU data protection law if they collect personal data within the EU, it is currently unclear what is meant by the term ‘collect personal data’.
For example it is possible that the law could apply to companies with servers in third countries that collect personal data when accessed by devices within the EU.
The ECJ has left the answer open to interpretation.
Implications for EU and third-country companies
The ECJ’s decision brings the risk that group companies in member states may have to comply with EU data protection laws even if they are not involved in processing data for their parent company.
Companies operating across borders must carefully examine whether the decision affects them. This applies in particular to companies based in third countries that target customers in the EU.
Non-compliance with domestic EU data protection laws may result in fines, damages claims and public investigations.
In view of the ECJ’s decision, the risk of enforcement arises not only in member states in which data is actually being processed, but also in member states where products are being marketed by group companies.