Landmark EU Data Protection Ruling To Impact Tech Giants

Data protection © pedrosek, Shutterstock 2012

European court decision against Slovakian property website could have far reaching consequences

Europe’s top court has made what experts are calling a landmark decision regarding data protection laws thanks to an obscure Slovakian property website.

The European Court of Justice (ECJ) has ruled in favour of the Hungarian data protection authority in its case against Weltimmo, which some feel will change the face of data protection in Europe, and could cause real problems for many firms including the likes of Facebook and Google.

Court Ruling

The ECJ ruling on Thursday essentially says that if a company operates a service (such as a website) in the native language of a country, and has representatives in that country, then it can be held accountable by the country’s national data protection agency.

This potentially explosive ruling comes despite the fact that the company may not be headquartered in the country concerned.

ICO“Today’s landmark ruling from the European Court of Justice has changed the face of data protection for companies operating across multiple EU jurisdictions, particularly those who are consumer facing,” said Ashley Winton, UK head of data protection and privacy at international law firm Paul Hastings in an emailed statement to TechweekEurope.

The ECJ decided that Weltimmo could be liable for fines imposed by the Hungarian authority for breach of national data protection law when it said that “…Weltimmo’s activity is subject to the Hungarian legislation on data protection.”

Winton explained that until now, European laws had allowed multinational businesses with operations in Europe to be only subject to the data protection laws of one European country. This allowed US companies for example to create their European headquarters in Ireland or the UK, where data protection laws and practices are more liberal than on the continent.

But after the ECJ ruling on the Weltimmo case, companies that have websites translated into another language, targeting consumers of member states outside of their own establishment, may now have to comply with the regulations in each individual member state.

The consequences of this decision could be massive, and could trigger a dramatic rise in compliance costs for example, particularly where a website is targeted at multiple member states.

It also means that companies will be subject to multiple data protection authorities.

Huge Implications

“We expect that this case will be welcomed by data protection authorities, and as a result, social media and e-commerce multinationals will need to urgently consider their European data protection compliance strategies,” said Winton. “With the appetite for enforcement high across a number of member states, the repercussions for non-compliance could be huge.”

Indeed, Facebook, Google and co are already facing a potentially massive decision when the ECJ rules on 6 October over the Max Schrems case against Facebook.

Last month, the highly influential advisor to the ECJ, Advocate General Yves Bot, told Europe’s top court that the existing data sharing deal between the US and Europe is invalid and that members states can suspend data sharing with the US, because America does not have an adequate level of data protection safeguards.

The judges are not bound by Bot’s opinion when they reach their own decision on 6 October, but they tend to follow it in most cases.

The current Safe Harbour deal has been in place since 2000, and effectively allows US firms such as Google and Facebook to collect data on their European users, as long as certain principles around storage and security are upheld. But Facebook and others have (albeit reluctantly) shared the data of EU citizens with American intelligence agencies such as the National Security Agency (NSA), when it requests the data.

Following the NSA spying revelations. Where do you store your data?