Yesterday the European Court of Justice (ECJ) reached a judgement on data protection legislation in the case of Weltimmo which will have far reaching implications for tech giants processing data in Europe, including Facebook and Google.
The ECJ ruled that ‘data protection legislation of a Member State may be applied to a foreign company which exercises in that State'. It found that ‘each Member State must apply the provisions it adopted pursuant to the directive where the data processing is carried out'. In addition, the court found that ‘the concept of ‘establishment' extends to any real and effective activity – even a minimal one.'
The precedent set is that ‘each supervisory authority established by a member state must ensure compliance, within the territory of that state, with the provisions adopted by all member states pursuant to the directive. Consequently, each supervisory authority is to hear claims lodged by any person concerning the protection of his rights and freedoms in regard to the processing of personal data, even if the law applicable to that processing is the law of another Member State.'
Ashley Winton, UK head of data protection and privacy at international law firm Paul Hastings, emailed SCMagazineUK.com commenting: “Today's landmark ruling from the European Court of Justice has changed the face of data protection for companies operating across multiple EU jurisdictions, particularly those who are consumer facing.”
He explained how previously European laws allowed multinational businesses with operations in Europe to be only subject to the data protection laws of one European country leading several to created establishments in the UK or Ireland, where data protection laws and practices are more liberal and viewed by some as more business friendly.
However, following the case of Weltimmo, Winton notes: “Companies that have websites translated into another language, targeting consumers of member states outside of their own establishment, may now have to comply with the regulations in each individual member state. This dramatically increases compliance costs, particularly where a website is targeted at multiple member states, and makes the company subject to multiple data protection authorities.”
He told SC: “We expect that this case will be welcomed by data protection authorities, and as a result, social media and e-commerce multinationals will need to urgently consider their European data protection compliance strategies. With the appetite for enforcement high across a number of member states, the repercussions for non-compliance could be huge.”
In an email to SCMagazineUK.com Sarb Sembhi, director, Storm Guidance adds: "This ruling should not be a surprise to most. When the new EU General Data Protection Regulation comes in, yes there will be a single harmonised law across the whole of the European Community – which is the whole point of updating it. Also, In the meantime, since there is no harmonisation, businesses have to comply to the legislation of each country they are operating in, not just where they are based.
"It seems that some of the larger corporates expect to have the protection of harmonisation now, without the pain of larger fines that are likely to come with the new Regulation, but don't even want to accept the current responsibilities of the non-harmonised legislation. In the similar way that these corporations operate their tax affairs they are trying to operate data protection and privacy to a point where they differentiate between data protection evasion and data protection avoidance. What is the difference and what is acceptable?"
According to Sembhi, this case also, "Reinforces and recognises the sovereignty of each member state and their current legislation to comply with the previous Directive as they saw fit, rather than to create a bad precedent which would likely lead to each member state question the point of a Directive compared to a Regulation."