On October 1st, 2015 the European Court of Justice passed a ruling that will change data protection for companies operating across multiple EU member states – particularly for those who are consumer facing. 

In simple terms the ruling means that if a company is operating within the borders of a country, and targeting the residents of that country for business, it is subject to the country’s data protection rules – regardless of the fact that the operating company may be based in another location.

The ruling was decided in the case of Weltimmo s.r.o v Nemzeti Adatvédelmi és Információszabadság Hatóság (Weltimmo s.r.o v National Authority for Data Protection and Freedom of Information). Weltimmo is a Slovakian company who run a property website dealing with Hungarian properties.

In Short, Weltimmo screwed up – and it’s going to cause everyone in the eu a bit of a headache.

Weltimmo’s site is serviced in Hungarian, and targets Hungarian citizens. They were offering a free month of advertising to new members – lots of Hungarians signed up, had their free month, then asked for their ads to be removed, and their data deleted. Weltimmo did not comply with their requests, and began billing the advertisers. When they did not pay, Weltimmo passed their details to a Hungarian collection agency.

An appeal to the Hungarian Data Protection Office led to a fine of HUF10,000 (€32,000) for Weltimmo, for infringing Hungarian data protection laws.

It is from this point that things started to get interesting. After an appeal, the case went to the European Court of Justice (ECJ) for a final ruling as to whether they could apply their data protection laws to a company registered and operating in another EU state.

[easy-tweet tweet=”The ECJ ruled companies are subject to the data laws of the country they operate in” user=”rhian_wilkinson” hashtags=”datalaw”]

The ECJ ruled that Weltimmo was subject to Hungarian data protection laws:

By today’s judgment, the Court recalls that, according to the directive, each Member State must apply the provisions it adopted pursuant to the directive where the data processing is carried out in the context of the activities conducted on its territory by an establishment of the controller.”

For more clarification:

The Court states that each supervisory authority established by a Member State must ensure compliance, within the territory of that State, with the provisions adopted by all Member States pursuant to the directive. Consequently, each supervisory authority is to hear claims lodged by any person concerning the protection of his rights and freedoms in regard to the processing of personal data, even if the law applicable to that processing is the law of another Member State.

However, in the event of the application of the law of another Member State, the powers of intervention of the supervisory authority must be exercised in compliance, inter alia, with the territorial sovereignty of the other Member States, with the result that a national authority cannot impose penalties outside the territory of its own State.

[easy-tweet tweet=”The ECJ ruling on data protection has massive ramifications in the global age of information” user=”rhian_wilkinson”]

This has massive ramifications in the global age of information – companies such as Facebook have come under fire in the past for blurring the lines on personal data laws.

In the Facebook case Germany was challenging Facebook to allow profiles to be made under pseudonyms. German Data Protection law provides that a web service provider shall offer an anonymous use of web services where this is technically possible and reasonable – Facebook does not allow anonymous use – and has been known to lock people out of their profiles if they are found to be using a fake name.

Facebook has no branch or subsidiary in Germany – they only legally operate places of business in the US and Ireland. Before this ruling, it could have been argued that any processing of personal data is subject to the Data Protection laws of Ireland. But now everything has changed.

Ashley Winton, UK head of data protection and privacy at international law firm Paul Hastings has released the following statement in regards to the ruling. 

“Previously, European laws allowed multinational businesses with operations in Europe to be only subject to the data protection laws of one European country. This was to the benefit of many companies, some of whom elected to create an establishment in the UK or Ireland, where data protection laws and practices are more liberal and arguably more business friendly.

Following the case of Weltimmo, companies that have websites translated into another language, targeting consumers of member states outside of their own establishment, may now have to comply with the regulations in each individual member state. This dramatically increases compliance costs, particularly where a website is targeted at multiple member states, and makes the company subject to multiple data protection authorities.

We expect that this case will be welcomed by data protection authorities, and as a result, social media and e-commerce multinationals will need to urgently consider their European data protection compliance strategies. With the appetite for enforcement high across a number of member states, the repercussions for non-compliance could be huge.”

Now, we just wait and see what the fallout of this ruling will be. Popcorn anyone?