Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Oct. 1 — Potentially making it easier for European Union privacy regulators to control the activities of foreign multinationals, the European Court of Justice held Oct. 1 that EU member state data protection authorities may regulate data processing by foreign companies even if they have a minimal presence in the DPA's territory (Weltimmo s.r.o. v. Nemzeti Adatvedelmi es Informacioszabadsag Hatosag, E.C.J., No. C-230/14, 10/1/15).
In a case referred by Hungary's Supreme Court, the ECJ said that under the EU Data Protection Directive (95/46/EC), national courts may impose sanctions for privacy infringements on foreign companies with “establishments” on their territory that are linked to companies' data processing activities, but that an “establishment” could be as little as having a representative, bank account or postal address in the country.
Bart W. Schermer, a privacy lawyer and partner at Dutch legal consulting company Considerati, told Bloomberg BNA Oct. 1 that according to the ECJ ruling, an establishment of a foreign company “does not really have to be very substantial for the local DPA to have jurisdiction.”
The ruling “ has quite some impact for organizations like Facebook, and also other multinationals,” Schermer said.
The ruling may influence a proceeding in Belgium in which the Belgian Privacy Commission is seeking to sanction Facebook Inc. for privacy breaches, Schermer said.
The ECJ ruling concerned a case involving a Slovakian real estate company.
The Hungarian DPA sought to impose its largest fine to date, approximately $45,000 on the company, Weltimmo S.R.O., for allegedly failing to respect requests from Hungarian data subjects for deletion of their data, and for transferring their data to other parties (166 Privacy Law Watch, 8/28/12)(11 PVLR 1353, 9/3/12). Weltimmo contested the fine in the Hungarian courts .
The ECJ said that the Hungarian DPA had the right to impose the fine because Weltimmo has a representative, an address and bank account in Hungary and “unquestionably pursues a real and effective activity in Hungary.”
The ECJ defined the concept of an “establishment” of a company in a country other than its home country as “any real and effective activity—even a minimal one—exercised through stable arrangements.”
National courts would have to determine on a case-by-case basis if the data processing activities of foreign companies were done through “establishments” on national territory, the ECJ said.
Tom de Cordier, a partner at CMS DeBacker in Brussels, told Bloomberg BNA Oct. 1 that the “main novelty” of the ruling was the definition of an establishment, which “so far in practice was determined in a slightly stricter way.”
The ruling “ has quite some impact for organizations like Facebook, and also other multinationals.”Bart W. Schermer, Partner, Considerati
In response to the Belgian DPA's recommendation for changes, Facebook said that its European operations are based in Ireland and overseen by the Irish data protection commissioner and added that the applicability of the Belgian PrivacyCommission's recommendation was “unclear” (95 Privacy Law Watch, 5/18/15)(14 PVLR 875, 5/18/15).
Schermer said the Weltimmo ruling might “strengthen the case of the Belgian DPA” that Belgian privacy law applies to Facebook. A ruling in the Belgian case is expected in late October.
De Cordier said the presence of an establishment may be less significant in the Belgian Facebook case than demonstrating the connection of that establishment with the company's data processing operations.
The ECJ's Weltimmo judgment said that DPAs could enforce privacy laws against foreign companies “where the data processing is carried out in the context of the activities conducted on its territory by an establishment of the controller,” but Facebook has only a public affairs office in Belgium that is distinct from its data processing activities, de Cordier said.
At a recent Bloomberg Law sponsored panel, Irish Data Protection Commissioner Helen Dixon discussed the changes coming under the proposed data protection regulation and Ireland's role in overseeing multinationals with headquarters in Ireland, including Facebook.
The Weltimmo judgment also said that even if a foreign company isn't considered to have an establishment in a country, that country's DPA could still pursue a privacy case against the foreign company, but would be unable to enforce sanctions.
In this situation, there would be a “duty of cooperation” between EU DPAs, under which one DPA could ask another to impose a fine, the ECJ said.
De Cordier said that this meant in the Facebook case in Belgium, that “if Belgian law doesn't apply, it doesn't mean the Belgian DPA can't investigate.”
The Belgian DPA could pursue an investigation and ask Ireland's Office of the Data Protection Commissioner to impose sanctions, de Cordier said.
The Weltimmo ruling was “a one-stop shop decision really,” de Cordier said, referring to the supervisory system that has been put forward for the EU under the proposed data protection regulation to replace the Data Protection Directive. Under the proposed one-stop shop, a lead DPA would be established but DPAs would be expected to cooperate on enforcement.
In a separate ruling, the ECJ Oct. 1 held that a public authority can't transfer personal data to another public authority without first telling the data subject what categories of data would be transferred and for what purpose, and without providing the data subject with an opportunity to access and rectify the data (Bara v. Presedintele Casei Nationale de Asigurari de Sanatate, E.C.J., No. C-201/14, 10/1/15).
Prior notification would be in line with the “requirement of fair processing of personal data” in EU law, the ECJ said.
The Court of Appeal in Cluj, Romania, asked for the ECJ ruling in a case in which a group of self-employed workers objected to the transfer of data on their declared incomes from the country's tax authorities to its national health insurance fund.
Cambridge Associates, an Irish data protection consulting company, said in an Oct. 1 blog post that the ruling meant that data sharing between different EU public bodies should only by done on the basis of “a clear prior communication of the existence of the legal basis for the processing and the relevant controls governing the processing.”
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)