You are here

Landmark EU ruling on data protection ‘dramatically increases compliance costs’

Companies operating across multiple jurisdictions expected to comply with local legislation

2 October 2015

Add comment

By Manju Manglani, Editor (@ManjuManglani)

In a landmark judgment, the Court of Justice of the European Union ruled yesterday that international companies should abide by the data protection legislation of the jurisdictions in which they operate.

The ruling in the Weltimmo case will have far-reaching implications for technology companies processing data in Europe, including Facebook and Google.

Commenting on the news, Ashley Winton, UK head of data protection and privacy at Paul Hastings, said the ruling has "changed the face of data protection for companies operating across multiple EU jurisdictions, particularly those which are consumer facing".

The court ruled that data protection legislation of a member state may be applied to a foreign company which exercises in that state.

It found that each member state must apply the provisions it adopted pursuant to the directive where the data processing is carried out.

The court noted that the presence of only one representative could be sufficient to constitute an establishment.

In addition, the court found that the concept of 'establishment' extends to any real and effective activity - even a minimal one.

Previously, European laws allowed multinational businesses with operations in Europe to be only subject to the data protection laws of one European country.

Some companies had consequently elected to create an establishment in the UK or Ireland, where data protection laws and practices are more liberal.

Winton said that, as a result of the ruling, companies that have websites translated into other languages and which target consumers of member states outside of their own establishment may now have to comply with the regulations of each individual member state.

"This dramatically increases compliance costs, particularly where a website is targeted at multiple member states, and makes the company subject to multiple data protection authorities," he warned.

"We expect that this case will be welcomed by data protection authorities, and as a result, social media and e-commerce multinationals will need to urgently consider their European data protection compliance strategies. With the appetite for enforcement high across a number of member states, the repercussions for non-compliance could be huge."

The court noted that a national authority cannot impose penalties outside the territory of its own state.





Categorised in:

Business development & Strategy Risk & Compliance