Last month’s European Court of Justice’s (ECJ) ruling which declared US Safe Harbor invalid has dominated recent press coverage in the data protection field. Yet only a few days earlier an equally if not more significant ruling was made by the same court in a case widely known as Weltimmo, which is likely to have an impact for businesses processing personal data and currently operating in more than one country within the European Union.
In essence the judgement allows individuals to submit complaints to their national data protection authority about an organisation and how their personal data is being processed, even if the organisation in question is based in a different country.
What was the state of affairs before Weltimmo?
All EU member states implement the data protection directive in different ways and have their own national supervisory authority. This results in differing approaches from country-to-country in respect of both the approach taken to enforcing the law and the legal requirements that must be adhered to. This creates a confusing matrix in what is supposed to be an area that has a harmonised approach to protection of an individual’s data. It is therefore not surprising that international businesses that are operating across the EU have often sought to simplify their regulatory profile by attempting to fall under the laws and jurisdiction of a single member state.
Before Weltimmo, it was generally understood that the country in which a company was incorporated had jurisdiction over its processing of personal data, irrespective of where the individuals whose data is being processed are located. When coupled with tax incentives many businesses have therefore chosen to register themselves in countries such as Ireland whose data protection laws are considered some of the least draconian.
What has changed?
Weltimmo, a company registered in Slovakia, runs a property dealing website for properties located in Hungary. Various advertisers, whose personal data was processed on the website, requested that their account be deleted following the end of a free trial period. However, Weltimmo did not adhere to the requests and instead charged each advertiser for a renewed subscription to the site. This resulted in complaints being lodged by the affected parties with the Hungarian data protection authority.
Weltimmo contested the jurisdiction of the Hungarian authority, arguing that their data processing activities were governed solely by the Slovakian counterpart. This issue was referred to the ECJ, who ruled that Weltimmo’s business was in fact subject to the data protection laws of Hungary, despite it being a business registered in Slovakia.
The ECJ acknowledged that to be subject to the laws and authority of a particular member state, a data controller must be established in that country. The reasons given for why Weltimmo was considered to be established included that its website was written in Hungarian and it processed the personal data of Hungarian citizens for the purpose of advertising properties in their locality.
What does this mean for businesses operating across several member states?
The Weltimmo ruling has the potential to have a significant impact on how international businesses view their data protection compliance strategy. It seems that companies will no longer be able to avoid complying with the more onerous privacy laws of certain member states by locating their registered entity in a friendlier jurisdiction.
Companies will need to think carefully about whether they are likely to be considered data controllers in multiple member states and, when doing so, should take heed of the particular factors discussed by the ECJ in Weltimmo. For instance, a business ought to consider its market, in other words: who consumes its products or services and where those consumers are based.
One particular pitfall which businesses must try to avoid is disregarding a member state’s data protection laws because the business only has a branch located in that member state. In fact, it seems that the presence of even just one employee in a country can be sufficient to indicate that a business is established there. It raises the unsavoury possibility of companies having to fend multiple actions across a variety of member states.
For those companies that decide that they are likely to be deemed to be established in multiple member states, they should look to review whether their existing data protection practices adhere to each of those states’ laws.
Authors - Sophie Morris and Daniel WhiteheadThis information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.