Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said the ruling, by the Court of Justice of the EU (CJEU), confirms EU-based online platforms own an element of independence over the way they can attract business from consumers from across the relax of the trading bloc.

In its recent judgment, in a case involving online retail giant Amazon, the CJEU said that businesses with an establishment in an EU state will not necessarily be subject to the data protection laws of another state in which consumers it sells to are based “merely” because they own a website that is accessible in that state.

The CJEU also confirmed an earlier ruling in which it said that EU-based companies do not own to own physical premises in another EU state to be said to own an ‘establishment’ in that jurisdiction.

“While the fact that the undertaking responsible for the data processing does not own a branch or subsidiary in a member state does not preclude it from having an establishment there within the meaning of [the EU’s Data Protection Directive], such an establishment cannot exist merely because the undertaking’s website is accessible there,” the CJEU said.

The EU’s Data Protection Directive states that where personal data processing is carried out by a data controller with an establishment in an EU state then the processing must adhere to the national data protection laws of that state. The Directive makes clear that organisations based in multiple EU countries must abide by each of the diverse data protection regimes with honor to their personal data processing in those countries.

Businesses that do not own an office in the EU can also fall subject to the Directive, however.

Where a data controller does not own an establishment in the EU but “makes operate of equipment” in an EU state to process personal data then the national data protection laws of that EU state apply to that processing. This is unless the equipment is “used only for purposes of transit through” the EU.

In the case infrontof it, the CJEU was asked by a court in Austria for aid in determining whether Luxembourg-based Amazon, which attracts sales in Austria via a German website, is subject to Austrian data protection laws.

The question, posed by Austria’s Supreme Court, is relevant to a broader dispute between Austrian consumer group VKI and Amazon over the fairness of the retailer’s consumer terms and conditions. The Austrian courts own been assessing whether the fairness of those terms can be assessed in line with Austrian laws or whether the laws of other EU countries govern the arrangements. Some of Amazon’s terms and conditions relate to its processing of consumers’ personal data.

In assessing the jurisdictional points relating to the data protection issues in the case, the CJEU referenced criteria it outlined in a ruling persist year for working out whether a company based in unit EU state will be subject to data protection laws in another.

The CJEU said: “The processing of personal data carried out by an undertaking engaged in electronic commerce is governed by the law of the member state to which that undertaking directs its activities, if it is shown that the undertaking carries out the data processing in question in the context of the activities of an establishment situated in that member state. It is for the national court to ascertain whether that is the case.”

In its 2015 judgment the CJEU had said that “the concept of ‘establishment’, within the meaning of [the Data Protection Directive], extends to any real and effective activity – even a minimal unit – exercised through stable arrangements”.

Wynn said: “The ruling offers welcome clarification on the application of data protection rules to businesses with an establishment in the EU that transact with consumers based across multiple countries within the trading bloc. In particular affects online technology companies that provide jurisdictionally-neutral services.”

“The ruling confirms that such businesses will not become subject to data protection laws in other EU countries proper because they operate websites in popular languages, enjoy English or German, which can attract custom from public based in diverse EU countries from the ones they are based in,” she said.

Wynn said, though, that the CJEU’s ruling must be read in conjunction with a previous judgment of the court in a case involving another tech company which considered data processing in the context of the activities of an ‘establishment’ below the Data Protection Directive.

Wynn said: “In the context of this latest ruling, I would query in what circumstances the overt targeting of services at consumers in another EU state through a website may ever be sufficient, on its own, to constitute having an ‘establishment’ in that state such that the business would be subject to the local data protection regime.”

A recent General Data Protection Regulation will replace the existing Data Protection Directive in May 2018. Unlike the Directive, which has been implemented in diverse ways into national legislation by each EU state, the recent Regulation will apply a single set of data protection rules across the EU.