The original case might seem obscure to many and have little initial impact on their business. Case C-230/14 Weltimmo s.r.o v Nemzeti Adatvédelmi és Információszabadság Hatóság is unlikely to have crossed any corporate lawyers desk. In brief it is about Slovakian company Weltimmo who run a property website dealing with Hungarian properties.
Despite advertisers asking for details to be deleted, Weltimmo charged them costs and then passed their details to a Hungarian collection agency. An appeal to the Hungarian Data Protection Office led to a fine of HUF10,000 (€32,000) for Weltimmo for infringing Hungarian data protection laws.
After an appeal, the case went to the European Court of Justice (ECJ) for a final ruling as to whether they could apply their data protection laws to a company registered and operating in another EU state. This is where the whole case becomes extremely interesting.
The ECJ Ruling
The ECJ has ruled that:
By today’s judgment, the Court recalls that, according to the directive, each Member State must apply the provisions it adopted pursuant to the directive where the data processing is carried out in the context of the activities conducted on its territory by an establishment of the controller. In that regard, the Court notes that the presence of only one representative can, in some circumstances, suffice to constitute an establishment if that representative acts with a sufficient degree of stability for the provision of the services concerned in the Member State in question. In addition, the Court states that the concept of ‘establishment’ extends to any real and effective activity — even a minimal one — exercised through stable arrangements.
Read the ruling further and it offer some interesting clarification:
The Court states that each supervisory authority established by a Member State must ensure compliance, within the territory of that State, with the provisions adopted by all Member States pursuant to the directive. Consequently, each supervisory authority is to hear claims lodged by any person concerning the protection of his rights and freedoms in regard to the processing of personal data, even if the law applicable to that processing is the law of another Member State.
However, in the event of the application of the law of another Member State, the powers of intervention of the supervisory authority must be exercised in compliance, inter alia, with the territorial sovereignty of the other Member States, with the result that a national authority cannot impose penalties outside the territory of its own State.
The impact on pan European operations
The ruling is interesting on many levels. First, many US companies such as Amazon and Apple have based themselves in Ireland because they believe that the Irish Office of the Data Protection Commissioner (ODPC) is more favourable to them than many other EU countries. They have then relied on the ODPC interpretation of EU data protection law to defend themselves against lawsuits from individuals in other EU states.
Ireland is not the only country to have benefitted from US companies. The UK has also been seen as a soft touch when it comes to handing out fines despite efforts by the Information Commissioners Office (ICO) to rectify that.
The second interesting part of the ruling is that the company must have an office in the country in which it is being sued. This means that big US companies that have offices across Europe may now have to increase their legal staff or consider closing offices based on the number of legal cases they face.
This ruling comes ahead of the General Data Protection Directive which, in itself, seeks to close the differences between different member states. What the GDPR doesn’t do is resolve the issue over the size of fines. Under this ruling not only could a company find itself fined in several countries the levels of fines could vary wildly.
“Today’s landmark ruling from the European Court of Justice has changed the face of data protection for companies operating across multiple EU jurisdictions, particularly those who are consumer facing.
“Previously, European laws allowed multinational businesses with operations in Europe to be only subject to the data protection laws of one European country. This was to the benefit of many companies, some of whom elected to create an establishment in the UK or Ireland, where data protection laws and practices are more liberal and arguably more business friendly.
“Following the case of Weltimmo, companies that have websites translated into another language, targeting consumers of member states outside of their own establishment, may now have to comply with the regulations in each individual member state. This dramatically increases compliance costs, particularly where a website is targeted at multiple member states, and makes the company subject to multiple data protection authorities.
“We expect that this case will be welcomed by data protection authorities, and as a result, social media and e-commerce multinationals will need to urgently consider their European data protection compliance strategies. With the appetite for enforcement high across a number of member states, the repercussions for non-compliance could be huge.”
A tsunami of cases waiting to be unleashed?
Are we likely to see the courts overwhelmed by a tsunami of data protection cases? Probably not in the short term. However, there is now ample scope to reopen a number of other cases from recent months such as the compliance of Google and Facebook with the US Prism spying programme.
Both companies were given extremely favourable rulings under ‘safe harbour’ provisions by the ODPC in a case brought by the Europe v Facebook campaign. That ruling also looks suspect after a landmark shock also delivered by the Advocate General Bot in case C-362/14.
Bot has provided an opinion to the ECJ saying that the way Safe Harbour operates does not prevent European countries from suspending the arrangement and even going so far as to declaring it invalid. The opinion from Bot has not yet been accepted by the ECJ but it is rare for such opinions to be overlooked and ignored.
All of this comes at a critical time in the negotiations around the The Transatlantic Trade and Investment Partnership (TTIP). There is so much concern in Brussels that all documents relating to these talks have been declared secret by EU Commissioner Malmström, previously outed by Jade Nester, National Telecommunications and Information Administration, US Department of Commerce as the US Governments little helper in Europe.
France has already threatened to walk away from TTIP over the lack of transparency over what is being offered to US companies citing the whole process a “democratic problem”. While there has been a lot of coverage around the lack of environmental protection in TTIP, there is equal concern over the access and protection of EU citizen data that TTIP would create putting it at odds with the GDPR and creating another morass of conflicting laws inside Europe.
It has been a great week for privacy campaigners across Europe with two major blows being struck against EU legislation. Unfortunately it will be some time before we see anything positive for citizens with the only people likely to gain here being lawyers who must be rubbing their hands with glee.
On a serious note, the big questions for many companies will be what does this mean for their pan-European businesses? Can they continue to operate as they have across Europe? Will they need to review and change their business practices in different states?
At a time when the European economy is struggling to recover will this also mean less job creation as both European and international companies slow down expansion in the region. It may even lead to job losses which may end up putting political pressure to change the GDPR again.
At a more fundamental level the idea of a single market in Europe that removes red tape for business just took a major slap in the face.