15 October 2015 – While everybody was watching in the direction of the Schrems case, two other rulings that the Court of Justice of the European Union made the previous week went unnoticed. Because they specify the procedures to process personal data within public administrations and extend the scope of action of national data protection authorities, these decisions could have consequences in some upcoming European policies.
Last October 1st, the Court pronounced two important judgments in terms of data protection. The first, concerning the Bara case, imposes new obligations on public administrations that process personal data. Ms. Bara had indeed challenged the transfer of some of its data from the tax administration to the Romanian National Social Security Fund. According to the decision of the Court, the Directive 95/46/EC on personal data protection obliges public bodies to inform individuals about the transfer of their personal data to another administration and about the processing by the recipients to which they will be subjected.
Because it is a necessary condition for the full exercise of the rights to access, rectification and opposition, this new obligation for public administrations should be taken into account into the Commission’s Digital Single Market strategy. The “once for all” principle, which is planned to be implemented by this strategy, should indeed make easier for public bodies to reuse personal information they already hold: they will not have to ask the citizens for it again. Linked with the current search for further interoperability, the implementation of this principle could lead to an increasing number of transfers of personal data between different public bodies. At this time, the decision of the ECJ will be particularly important.
The second ruling, concerning the Weltimmo case, is mainly about the concept of “establishment”. Weltimmo, which is a company running a property dealing website concerning Hungarian properties, has been fined by the Hungarian Data Protection Authority (DPA) for non-compliance with the Hungarian transposition of the Directive 95/46/EC. Weltimmo being registered in Slovakia, it challenged the DPA’s decision on the basis of that same directive which subjects an organisation to the legislation of a Member State “in so far as [it] exercises, through stable arrangements in the territory of that Member State, a real and effective activity – even a minimal one”. The ECJ therefore had to define more clearly what constitutes “stable arrangements”. It finally ruled that “the presence of only one representative can, in some circumstances, suffice”.
It is then in a really flexible way that the CJEU defines the concept of “establishment”. It thereby expands the scope of action of national data protection authorities to companies registered in another Member State but operating on their territory. This decision certainly will have consequences in the current negotiations on the upcoming data protection Regulation. The latter plans indeed the implementation of a one stop shop mechanism to ensure a more effective protection of personal data in transnational affairs. There is no doubt that the definition given by the Court to the concept of “establishment” will be, this time too, very important.
AEDH calls on the European institutions to take these two decisions into account for future initiatives and legislation: they ensure that citizens’ rights are respected.