The Court of Justice of the European Union (CJEU) has been very busy in recent weeks re-shaping EU privacy laws. In addition to the much-anticipated decision in “Schrems” (Case C-362/14), which essentially rules the US-EU Safe Harbor invalid, the CJEU has also considered the key issue of “establishment” in another landmark case, namely “Weltimmo” (Case C-230/14).
In particular, it has ruled that businesses with only very minimal operations in an EU Member State can nevertheless be subject to the data protection laws of that Member State, where they process personal data in the context of activities directed towards that Member State. This effectively widens the scope of “establishment” and creates additional headaches for those with European operations.
The action point for companies with a European footprint is therefore to review their European processing activities, re-think where they might be established and look to comply with local laws in those jurisdictions. Status quo is not an option for those who wish to avoid enforcement action in “foreign” jurisdictions they previously thought they could ignore.