Recent EU judgments in privacy cause far reaching implications on online operations
January 2016 | EXPERT BRIEFING | RISK MANAGEMENT
On 1 October 2015, the Court of Justice of the European Union (CJEU) delivered its judgment in the Weltimmo s.r.o. vs. NAIH case, and clarified how data protection law applies in cross-border situations within the EU. Five days later, the CJEU also delivered its judgment in the Schrems vs. Facebook case, and declared the so-called ‘safe harbour’ scheme, which provided for simplified procedures for transferring personal data from the EU to the US, invalid. Both judgments have far-reaching implications and may significantly alter the business model of cross-border online operations.
The Schrems case
The controversial disclosures made by Edward Snowden in 2013 gave rise to serious concerns that once personal data was transferred from the EU to the US, it might be accessed for governmental surveillance purposes, and without any right for EU citizens to defend themselves before a US court. In 2013, Austrian law student Maximilian Schrems submitted a complaint against Facebook Ireland for breaching privacy laws when it automatically transferred the users’ data to the US under the safe harbour scheme. The safe harbour system is based on an international agreement between the EU and the US which provides for self-certification for those US companies who offered adequate protection for personal data transferred to them from the EU. According to Schrems, transferring personal data to the US – without prior verification from the national data protection authorities (DPAs) that Facebook complies with the EU’s level of data protection in the US – is against the privacy laws of the EU. The High Court of Ireland referred the case to the CJEU. When making its decision, the CJEU considered whether the safe harbour scheme was in line with EU privacy laws. On 6 October 2015, the CJEU ruled that the safe harbour agreement between the US and the EU was invalid, as US companies were unable to provide an adequate level of protection of personal data. The CJEU also referred to Snowden’s revelations, and found that European users’ personal data are not adequately protected against access by governmental surveillance in the US.
The Weltimmo case
The judgment in the Weltimmo case was issued only days before the invalidation of the safe harbour scheme. Weltimmo s.r.o, a company registered in Slovakia, ran two property dealing websites concerning Hungarian properties, exclusively in the Hungarian language. Consumers could place their real estate advertisements on Weltimmo’s websites for 30 days free of charge – after 30 days the operator automatically charged an advertising fee. However, the operator did not allow advertisers to delete their advertisements (including their personal data) after the 30 day free period, resulting in the continuous accrual of advertising fees. As the amounts charged were not paid, Weltimmo forwarded the personal data of the delinquent advertisers to debt collection agencies. NAIH, Hungary’s Authority for Data Protection and Freedom of Information has received 63 complaints in relation to the websites concerned and imposed the highest fine permitted by Hungarian law (approximately €32,000). Independently from the NAIH investigation, Weltimmo’s unfair business-to-consumer commercial practices were also reviewed by the Hungarian Competition Office (GVH) and the GVH brought a public interest action – the first ever in Hungary.
Weltimmo brought an action before the Budapest administrative and labour court against NAIH, and claimed that NAIH lacked jurisdiction in the case because Weltimmo did not have a registered office or branch in Hungary, and NAIH should have asked the Slovak Data Protection Authority to act. The Hungarian court denied Weltimmo’s defence because the data processing and services took place in Hungary. NAIH also claimed that Weltimmo had a Hungarian representative in Hungary, one of the owners of the company, who represented it in the administrative and judicial proceedings. In addition, NAIH learned that Weltimmo did not carry out any activity in Slovakia, had a bank account in Hungary for the recovery of its debts, and had a Hungarian post office box for its everyday business. On 1 October 2015, the CJEU ruled that the data protection law of an EU Member State can be applied, if a company (as data controller) exercises a real and effective activity in that Member State even if the company is not registered there. Based on the facts, the CJEU held that Weltimmo pursued a real and effective activity in Hungary and its data processing took place in the context of such activities. The CJEU departed from a formalistic approach whereby undertakings are established solely in the place where they are registered. It found that the EU Data Protection Directive permits EU countries to apply their data protection law to companies that exercise a real and effective activity in that state even if the company is not registered there.
Both the Schrems and the Weltimmo case have far-reaching implications and may significantly alter the business model of cross-border online operations. As a result of the Schrems case, DPAs are no longer bound by the safe harbour scheme to allow transfers of personal data from the EEA to the US – they will be free to investigate personal data transfers based on the safe harbour scheme and to begin enforcement action in respect of transfers they deem to be non-compliant. Accordingly, businesses that have been relying on the safe harbour scheme must review their existing transfer arrangements and should seek alternative options of safeguarding the privacy of personal data transferred in the US. In addition to the review of the existing data transfers, the CJEU’s approach in the Weltimmo case requires e-commerce companies to assess the legal implications of their presence in each EU Member State. One may interpret the CJEU’s judgment in a way that cross-border services should always comply with the laws of each Member State, which may unreasonably increase compliance costs. Nevertheless, alternatives should be assessed on a case-by-case basis – for example, the location of the properties advertised was a considerable but unique factor in the Weltimmo case. There may be a number of solutions to minimise the factors which connect a foreign company to a Member State. It will also be interesting to see whether the one-stop-shop system and new data transfer mechanisms to be introduced in the Data Protection Regulation will help in finding a uniform approach, as this could help to reduce uncertainty among parties.
Márton Domokos is senior counsel at CMS Cameron McKenna. He can be contacted on +36 1 483 4824 or by email: firstname.lastname@example.org.
© Financier Worldwide
CMS Cameron McKenna