On the 1st
October 2015, the European Court of Justice made a landmark ruling that all
international organisations should abide by the data protection legislation that
exists in all the jurisdictions in which they operate.
This
decision centered on the outcome of the ECJ Weltimmo case, which
was brought by the Hungarian data protection authority against property website
Weltimmo. Weltimmo ran a property advertising service in Hungary even though it
was based in Slovakia. The Court found
that cross border activity by the Slovakian company sharing information with debt
collection agencies, was deemed to have breached data protection laws in Hungary,
ruling that:
- No matter what size of operation exists in each member state, companies must apply the data protection legislation of that member state to all of its activities if it has an establishment within that country. If, for example, the organisation operates a service in the native language of a country, has offices or bank accounts in that country or has representatives registered in that country;
- Organisations are then regulated by the relevant EU countries’ national data protection authorities even if the organisation is not headquartered in the country of that Regulator. That means those Regulators can impose fines where those exist. In the Weltimmo case, this means they could be liable for the 10m Hungarian forint fine (£23,650) which had been issued by the Hungarian data protection authority;
- If it cannot be shown that an “establishment” exists in that EU member state, then the relevant local data protection authority in that member state would not be able to issue fines and/or enforcement action and would have to instead rely on the data protection authority or the relevant member state where the organisation was based.
In
practical terms, this Case means that all organisations will need to ensure
they keep abreast of the relevant legislative variations across Europe and this
will of course place considerable additional administrative burdens on organisations
and raise their compliance costs dramatically. For example, the costs and
potential adverse repercussions of not getting on top of your requirements if
you market to a number of different organisations via your sales website or
similar, could be huge.
Whilst
there has been much talk of the impact of this case on the big technology
companies like Facebook and Google, who process data here in Europe, it is
clear that in the age of the multinational, costs for remaining compliant will dramatically
increase for all sorts of organisations – especially those that are
consumer-facing and those that operate in EU Member States that have a stronger
appetite for enforcement.
Previously,
companies only had to adhere to the data protection legislative requirements of
one county, and a lot of multinationals chose to create the nominated
establishment in either the UK or Ireland where the laws and practices were
more relaxed.
If
you require advice on data protection compliance and privacy matters, or to
understand how any of the recent ECJ judgements might affect the operations of
your organisation, please do not hesitate to reach out to Pritchetts for
tailored advice.
No comments:
Post a Comment