Don't look now, but there's another EU data protection court case about to bite
ECJ to decide on which privacy watchdog can fine whom
It might not be getting quite the level of attention as the Max Schrems case, but tomorrow (Thursday) the European Court of Justice will rule on another case that could have similar ramifications for data protection.
The Weltimmo case involves a tricky legal question on jurisdiction for data protection issues when a company sells in one country, but is headquartered in another.
Weltimmo is a Slovakian company that was running a property sales website in Hungary. Following complaints from Hungarian citizens who used the site that the company had improperly handled their personal data, the Hungarian Data Protection Authority (DPA) fined Weltimmo.
Now the ECJ will have to rule whether the company really did fall under the territorial scope of the Hungarian data protection authority.
In his opinion in June, legal advisor to the ECJ Advocate General Cruz Villalón took the view that a company that is not "established" in a particular EU member state is not subject to the rulings of the national DPA.
Establishing what "established" means in this context will require an examination, not only of where the company has its headquarters, but also where the data was collected, stored, and processed. Further complicating matters, one of Weltimmo's owners was a Hungarian living in Hungary.
This isn't the first time that the ECJ has grappled with this question. In the case of Google Spain, the court decided that a country's laws apply "when the operator of a search engine sets up in a member state a branch or subsidiary which is intended to promote and sell advertising space offered by that engine, and which orientates its activity towards the inhabitants of that member state." In other words, if you are marketing to Spanish users in Spanish, then Spain has jurisdiction.
It remains to be seen whether the court will follow the advice of the AG or the implications of its previous ruling. That decision could have big implications for Facebook, for example, which is under investigation in many EU countries, but claims only to be subject to Irish data protection law.
The days of this haphazard approach within the EU are numbered either way, as negotiators from national ministries, the European Parliament, and the European Commission are currently in talks to agree on a General Data Protection Regulation that will apply throughout the EU. Then companies will only have to worry about which is the lead DPA under the one-stop-shop system – but that's a whole other headache! ®