American technology giants which hide behind the laws of the country in which they have their European HQ have been rocked by a European Court of Justice ruling which will now force them to follow the data protection laws of each country they operate in.
The landmark ruling will have serious ramifications for US firms which process millions of personal data records in Europe. Facebook is already under investigation in many EU countries, but claims only to be subject to Irish data protection law.
The issue has been one of the major sticking points in the current negotiations over the draft EU General Data Protection Regulation, which is aimed at establishing legisation that will apply throughout the EU. However, with the final version still months away – and implementation at least three years off – the ECJ ruling means companies will have to change their practices way before they had envisaged.
The ECJ decision concerns a Slovakian company – Weltimmo – which was running a property sales website in Hungary. Hungarian citizens who used the site complained that the company had improperly handled their personal data, triggering a fine by Hungarian Data Protection Authority (DPA).
Weltimmo took the case to the ECJ but the court has ruled in favour of the Hungarian regulator.
The ECJ ruling states that “data protection legislation of a Member State may be applied to a foreign company which exercises in that State”.
The precedent set is that consumers will now be able to complain to their own data protection authority in regard to the processing of personal data, “even if the law applicable to that processing is the law of another Member State”.
Ashley Winton, UK head of data protection and privacy at international law firm Paul Hastings, said: “The ruling has changed the face of data protection for companies operating across multiple EU jurisdictions, particularly those who are consumer facing.
“Companies which have websites translated into another language, targeting consumers of member states outside of their own establishment, may now have to comply with the regulations in each individual member state. This dramatically increases compliance costs, particularly where a website is targeted at multiple member states, and makes the company subject to multiple data protection authorities.”
Related stories
US firms hit by data transfer ruling
Facebook hit by illegal data use claim
Facebook chief bigs up data privacy
Facebook defends record on data
