Article 4(1)(a) 'establishment of the controller' in EU data privacy law - time to rein in this expanding concept?

Date of this Version


Document Type

Journal Article

Publication Details

Citation only

Svantesson, D.J.B. (2016). Article 4(1)(a) 'establishment of the controller' in EU data privacy law - time to rein in this expanding concept? International Data Privacy Law, 6(3), 210-221.

Access the journal

© The Author 2016


2044-3994 print, 2044-4001 online



Introduction: Article 4 of the Data Protection Directive—defining the Directive’s territorial scope—has always been shrouded in a veil of mystery.1 No one seems to have been quite certain as to exactly what the role of that Article is and how it relates to other provisions; especially how it relates to Article 28 dealing with jurisdiction. For the first 15 years or so, the confusion surrounding Article 4 seems to have mattered little in that, whatever issue Article 4 was to address, that issue did not get much time in the limelight. That has now changed, not least due to the Internet. Article 4 has been the very focal point in one recent CJEU decision (Weltimmo2), and an important matter in another recent CJEU decision (Google Spain3). Furthermore, the proper interpretation of Article 4 is one of several important matters in a request to the CJEU for a preliminary ruling from the Oberster Gerichtshof of Austria (Verein fu¨r Konsumenteninformation4), in relation to which Advocate General Saugmandsgaard Øe delivered his Opinion on 2 June 2016. And Article 4 is set to again be the battle ground in the CJEU, namely in the context of the ongoing dispute relating to Facebook’s so-called ‘Fanpages’.5 Among these disputes, it is particularly subsection 1(a)—processing of personal data in the context of the activities of an establishment of a controller in the Union—that has been the focal point, and it is the meaning of that specific subsection I will discuss here.

This document is currently not available here.



This document has been peer reviewed.