A number of high-profile rulings by The European Court of Justice (ECJ) have recently shifted the global data protection landscape. Ashley Winton has the details.
The ECJ’s rulings are forcing companies that operate across multiple EU jurisdictions to quickly adapt their businesses to comply with these changes. Consumer-facing firms in particular will have a lot of adjustments to make, or they risk potential litigation.
The ECJ ruling in Weltimmo has decisively altered previously established EU laws that allowed multi-national businesses operating in Europe to be subject only to the data protection laws of one European country.
Registered in Slovakia, Weltimmo runs a website dealing in Hungarian properties, processing the personal data of featured advertisers. These advertisements were initially free of charge, but after a month a fee was enforced. The problem arose when those who requested their advertisements be deleted continued to receive demands for payments, which subsequently went unpaid and were referred to debt collection agencies.
The Supreme Court of Hungary asked the ECJ to decide whether the EU’s Data Protection Directive meant the Hungarian authority was responsible for data protection, or could impose a fine on Weltimmo by applying the Hungarian law adopted on the basis of the directive. The court decided that the company’s activities meant that this action could be taken.
Weltimmo is an illustration of how the issue of cross-border data processing works in practice. For businesses targeting consumers outside of their established jurisdiction, the changes have meant they now have to observe the data protection regulations of each individual member state. Therefore even companies that have their website translated for international consumers will have to comply with the laws of each member state in which they operate.
Traditionally, many firms elected to locate one of their key establishments in the UK or Ireland, where more liberal data protection laws granted their business greater freedom. These more generous data protection regimes have been subject to continual criticism. In particular, many in Germany believe stricter data protection laws should be applied across Europe. No doubt, the ECJ’s ruling in Weltimmo will have done much to allay these concerns.
What’s next for those processing data across Europe?
If a company operates across Europe and targets citizens of another country, there is now a risk that its data protection authority will be allowed to exercise investigatory powers and even intervene in the firm’s activities. The repercussions for non-compliance could be huge, and the likelihood is that the new laws will be enforced strictly by the data protection authorities who welcomed them, with fines becoming a matter of national law. Therefore social media and e-commerce multinationals will urgently need to reconsider their European data protection compliance strategies, as they are no longer protected by locating their establishments in more business friendly EU states.
For those businesses aimed at consumers in multiple member states, compliance costs will be particularly high. In this respect, the Weltimmo ruling is more significant than the highly publicised ECJ data protection case, Schrems which involved the transfer of data to the US via the Irish division of Facebook. After information regarding US mass surveillance of data was uncovered, the ECJ Safe Harbour was ruled invalid. This data-transfer pact between the EU and US was agreed by the European Commission in 2000, which at the time considered the scheme ensured an adequate level of protection of the personal data it transmitted across the Atlantic.
However, with a dramatic increase in the amount of data transferred, these rulings show that consumers now expect cross-border protection and transparency. Weltimmo leaves companies with operations in Ireland no alternative but to be more compliant with immediate effect, however costly. They must be aware that web users in a particular country now have the right to complain to their regulator if they are unhappy about things that have happened after they have submitted data to a website. This could include grievances regarding direct mail, data misuse, and social media websites. Individuals will be entitled to have their complaints taken much more seriously by data protection regulators, both locally and across the EU, who may well act on their behalf.
The recent ECJ rulings have limited companies’ data facilities and made multi-national businesses increasingly vulnerable. Firms must therefore act swiftly to allow themselves to continue business whilst protecting themselves from both the consumer and the regulator.
Ashley Winton is the UK head of data protection and privacy at international law firm Paul Hastings.