Article 4(1)(a) 'establishment of the controller' in EU data privacy law - time to rein in this expanding concept?
Date of this Version
2044-3994 print, 2044-4001 online
Introduction: Article 4 of the Data Protection Directive—defining the Directive’s territorial scope—has always been shrouded in a veil of mystery.1 No one seems to have been quite certain as to exactly what the role of that Article is and how it relates to other provisions; especially how it relates to Article 28 dealing with jurisdiction. For the first 15 years or so, the confusion surrounding Article 4 seems to have mattered little in that, whatever issue Article 4 was to address, that issue did not get much time in the limelight. That has now changed, not least due to the Internet. Article 4 has been the very focal point in one recent CJEU decision (Weltimmo2), and an important matter in another recent CJEU decision (Google Spain3). Furthermore, the proper interpretation of Article 4 is one of several important matters in a request to the CJEU for a preliminary ruling from the Oberster Gerichtshof of Austria (Verein fu¨r Konsumenteninformation4), in relation to which Advocate General Saugmandsgaard Øe delivered his Opinion on 2 June 2016. And Article 4 is set to again be the battle ground in the CJEU, namely in the context of the ongoing dispute relating to Facebook’s so-called ‘Fanpages’.5 Among these disputes, it is particularly subsection 1(a)—processing of personal data in the context of the activities of an establishment of a controller in the Union—that has been the focal point, and it is the meaning of that specific subsection I will discuss here.
This document has been peer reviewed.