EU data protection: ECJ extends the long arm of the law
National EU member state courts, as well as the European Court of Justice (ECJ), have struggled for several years to define the scope of application of EU data protection law in individual member states.
In a decision that provides important guidelines on the competence of, and co-operation between, national data protection authorities (DPAs), the ECJ has clarified how data protection law applies in cross-border situations within the EU.
In this significant ruling, the ECJ has confirmed its view that even minimal activities in a member state can trigger the application of that member state's data protection law. It clarified that this wide interpretation of the Directive is not only applicable in situations where the data controller is based outside the EU. However, the ECJ still failed to set out clearly when data processing takes place "in the context of the activities" of an establishment.