Europe’s highest court ruled Thursday that if a company is operating in a particular country and targeting residents of that country for business, then it IS subject to that country’s data protection rules.
The Weltimmo case hinged on the question of jurisdiction for data protection issues. Weltimmo is a Slovakian company running a property sales website in Hungary.
Many Hungarians took up the offer of free advertisements for one month, but asked that their accounts, personal data and adverts be deleted once the free trial had run out. However, Weltimmo did not delete the information and started racking up charges for its “services”. When those bills were not paid, Weltimmo forwarded the personal data to debt collection agencies.
The advertisers complained to the Hungarian data protection authority (DPA), which duly fined Weltimmo €32,000 for having infringed Hungarian data protection law. Weltimmo claimed the Hungarian DPA did not have jurisdiction, and so the case has ended up before the European Court of Justice (ECJ).
In today’s ruling, the ECJ said that “Weltimmo unquestionably pursues a real and effective activity in Hungary. Weltimmo has a representative in Hungary, who is mentioned in the Slovak companies register with an address in Hungary and who has sought to negotiate settlement of the unpaid debts with the advertisers. In addition, Weltimmo opened a bank account in Hungary, intended for the recovery of its debts, and uses a postbox in Hungary for the management of its everyday business affairs.”
However the ECJ maintains that it is still up to the Hungarian High Court to decide if this is sufficient to satisfy local law that Weltimmo is established in Hungary. If so, then the fine stands, but even if the referring court should find that Weltimmo does not have an “establishment” in Hungary, the Hungarian DPA can still ask the Slovakian supervisory authority to impose a fine.
The ECJ said that every national DPA “must ensure compliance, within the territory of that state, with the provisions adopted pursuant to the Data Protection Directive. Consequently, each DPA is to hear claims lodged by any person concerning the protection of his rights and freedoms in regard to the processing of personal data, even if the law applicable to that processing is the law of another member state.”
This isn’t the first time that the ECJ has come to this conclusion. In the case of Google Spain, the court decided that a country’s laws apply “when the operator of a search engine sets up in a member state a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that member state.” In other words, if you are marketing to Spanish users in Spanish, then Spain has jurisdiction.
Today’s ruling could have big implications for Facebook, for example, which is under investigation in many EU countries, but claims only to be subject to Irish data protection law.
The imminent General Data Protection Regulation that will apply throughout the EU could resolve many of these issues, as citizens will be able to complain to their own DPA, which will then work with the DPA in the country where the company is headquartered.
In a related case, the ECJ also ruled on Thursday that authorities must inform people in advance when their personal data is transferred between two public administrative bodies.
Self-employed Romanian national, Smaranda Bara, complained that the Romanian tax authority transferred data relating to her declared income to the National Health Insurance Fund, which then required the payment of arrears for health insurance contributions. She alleged that her personal data was processed for purposes other than that which she had supplied it for, without her knowledge nor explicit consent.
The ECJ said that authorities have a duty to inform data subjects people that their data will be transferred to another public administrative body for processing, as well as the purpose of the processing. ®