The Concept of Establishment and Data Protection Law: Rethinking Establishment

The regulatory success of the concept of establishment results from its multifaceted nature. The concept provides the regulator with a versatile tool, able to adapt its meaning to the specific policy principles of the area of law in which it is used. This article analyses the data protection concept of establishment and examines the extent to which the new Data Protection Regulation perpetuates the status quo. It demonstrates how the Court of Justice of the EU (CJEU) has modernised the establishment notion with its landmark rulings, Google Spain and Weltimmo, and how these judgments have helped the term “establishment” make a legislative transition from the old Data Protection Directive to the new Data Protection Regulation. An analysis of the revised data protection concept of establishment on objective, territorial and subjective grounds shows that conditions now exist to support a higher degree of formality in the formulation of the constituent elements of establishment. As this concept remains substantial in essence, for establishment still requires both a certain structure through which (minimal) activity is conducted, future developments should be cautious in allowing the legal reach of the establishment to extend further, in particular, beyond its objective limits.