On the 1st October 2015, the European Court of Justice made a landmark ruling that all international organisations should abide by the data protection legislation that exists in all the jurisdictions in which they operate.
This decision centered on the outcome of the ECJ Weltimmo case, which was brought by the Hungarian data protection authority against property website Weltimmo. Weltimmo ran a property advertising service in Hungary even though it was based in Slovakia. The Court found that cross border activity by the Slovakian company sharing information with debt collection agencies, was deemed to have breached data protection laws in Hungary, ruling that:
- No matter what size of operation exists in each member state, companies must apply the data protection legislation of that member state to all of its activities if it has an establishment within that country. If, for example, the organisation operates a service in the native language of a country, has offices or bank accounts in that country or has representatives registered in that country;
- Organisations are then regulated by the relevant EU countries’ national data protection authorities even if the organisation is not headquartered in the country of that Regulator. That means those Regulators can impose fines where those exist. In the Weltimmo case, this means they could be liable for the 10m Hungarian forint fine (£23,650) which had been issued by the Hungarian data protection authority;
- If it cannot be shown that an “establishment” exists in that EU member state, then the relevant local data protection authority in that member state would not be able to issue fines and/or enforcement action and would have to instead rely on the data protection authority or the relevant member state where the organisation was based.
In practical terms, this Case means that all organisations will need to ensure they keep abreast of the relevant legislative variations across Europe and this will of course place considerable additional administrative burdens on organisations and raise their compliance costs dramatically. For example, the costs and potential adverse repercussions of not getting on top of your requirements if you market to a number of different organisations via your sales website or similar, could be huge.
Whilst there has been much talk of the impact of this case on the big technology companies like Facebook and Google, who process data here in Europe, it is clear that in the age of the multinational, costs for remaining compliant will dramatically increase for all sorts of organisations – especially those that are consumer-facing and those that operate in EU Member States that have a stronger appetite for enforcement.
Previously, companies only had to adhere to the data protection legislative requirements of one county, and a lot of multinationals chose to create the nominated establishment in either the UK or Ireland where the laws and practices were more relaxed.
If you require advice on data protection compliance and privacy matters, or to understand how any of the recent ECJ judgements might affect the operations of your organisation, please do not hesitate to reach out to Pritchetts for tailored advice.