High Administrative Court of Bavaria on the concept of "Member States law” in the GDPR: Airbnb must also comply with Bavarian (local) laws

With its decision of 20th August 2019 (German), the High Administrative Court of Bavaria not only dealt intensively with questions of national telemedia law, but also commented on the question of what a “Member State law” in the sense of Art. 6 para. 2 and 3 GDPR is. In the opinion of the Court, federal state laws and municipal local laws can fall under this term and must therefore also be observed by companies in other Member States.

Facts

The decision was based on a dispute between the City of Munich and Airbnb, established in Ireland. Due to the increasing scarcity and price increase of living space in Bavarian cities, the Bavarian state government had enacted an ?Act on the Prohibition of Illegal Repurposing of Housing“ (ZwEWG). According to this national law, only applicable in the state of Bavaria, homeowners and landlords may only rent out their apartments in certain areas with permission if this does not impair the supply of rented apartments to the population. The ZwEWG was accompanied with a municipal local law, “Statute on the prohibition of the misappropriation of residential property” (ZeS).

Despite this provision, a large number of people still rent their apartments as holiday homes, e.g. on Airbnb. In order to clarify who rents his apartment on Airbnb and whether the person responsible has the necessary permission, the City of Munich requested Airbnb to disclose about 1.000 data records of users. Airbnb defended itself, among other things, with the argument that they were not allowed to disclose the data because only Irish data protection law as well as the GDPR would apply. Furthermore, the City of Munich would not have jurisdiction for the ordered act of enforcement; it lacks territorial jurisdiction and competence to order acts of enforcement outside the boundaries of its urban area.

Judgment

In that regard, the Court held that the authority was able to act and that not only Irish data protection law would apply. Contrary to the assumption of Airbnb, it cannot rely on the fact that it has complied with the data protection provisions of its State of origin (Ireland) or claim that it may be measured solely by these data protection rules.

The Court justifies this with Art. 6 para. 1 lit. c and lit. e GDPR in conjunction with Art. 6 para. 2 and 3 lit. b GDPR as well as in conjunction with the ZwEWG and the ZeS, the associated municipal local law, and Sec. 14 para. 2 TMG (German Telemedia Act). According to Sec. 14 para. 2 TMG, the service provider (here: Airbnb) may, by order of the competent authorities, provide information about inventory data in individual cases, insofar as this is necessary for strictly prescribed like criminal prosecution or the prevention of danger by the police authorities. Sec. 14 para. 2 TMG is based on Art. 15 para. 2 of Directive 2000/31/EC. Art. 3 of Directive 2000/31/EC establish the country of origin principle. On the one hand, each Member State shall ensure that the information society services provided by a service provider established on its territory comply with the national provisions applicable in the Member State in question which fall within the coordinated field. On the other hand, Member States may not, for reasons falling within the coordinated field of Directive 2000/31/EC, restrict the freedom to provide information society services from another Member State.

With regard to the applicability and scope of the TMG, the Court explicitly refers to the pending case in front of the ECJ (C-390/18, Airbnb Ireland), where the General Advocate in its Opinion hold:

“Article 3 of Directive 2000/31 must be interpreted in such a way as to guarantee the free movement of information society services between the Member States. If Member States other than the Member State of origin were also competent to apply on their own initiative, to all providers of a category of information society services, measures of a general and abstract nature, the principle of the free movement of such services would be significantly weakened”.

In the case at hand, the question was how this principle affects the applicable data protection law. The Court's answer: not at all. Sec. 3 para. 3 no. 4 TMG applies in this respect, according to which the entire data protection law relevant in the present case is excluded from the country of origin principle.

The national provisions of the ZwEWG, ZeS and Sec. 14 para. 2 TMG must be considered as “Member State law to which the controller is subject” (Art. 6 para. 3 lit. b GDPR) to which Airbnb, as the person responsible for providing information, is subject by virtue of the territorial scope of Art. 3 para. 1 GDPR.

According to the Court, this applies even if the data controller (here: Airbnb) would not be established in the EU. It is therefore sufficient if he offers services in the EU (local market principle).

“There can therefore be no reasonable doubt that the national law of the Federal Republic of Germany (and not [solely] that of the Republic of Ireland) applies to a processing operation based on Art. 6 para. 1 lit. c and e GDPR, because the plaintiff, due to its activity as a service provider in the Munich market place, does not comply with the local legal obligations there”.

Thereafter, the Court also commented on the term " Member State law" within the meaning of Art. 6 para. 3 GDPR. This was relevant, since the mentioned national provisions could only serve as a legal basis for a data transfer, if they do not conflict with the provisions of Art. 6 para. 2 and 3 GDPR. Airbnb stated, among other things, that passing on the requested data to the City of Munich would violate Art. 6 GDPR. The Court hold:

“The constituent element " Member State law" is to be interpreted in the light of the respective constitutional order of the Member States (cf. Recital 41 GDPR) and at the same time also includes municipal statutes”

like the ZeS in the present case.

Overall, however, the administrative act of the authority was deemed unlawful, since the request of the 1000 data records did not meet the requirements of Sec. 14 TMG.