News
Privacy law, recent developments
16 december 2015 – Silvie Wertwijn
Weltimmo
On 1 October 2015, the Court pronounced judgement in the Weltimmo[1] case. Weltimmo is a company registered in Slovakia, which manages a real estate website for real estate situated in Hungary. In this context, it processes personal data of its advertisers. In the first month, advertisements are placed on the website free of charge, but after this period they have to be paid for. By email, a many advertisers had requested that their advertisements and the related personal data be removed. Weltimmo, however, failed to follow up on these requests, and simply tried to collect the advertising revenues. When payments failed to come in, Weltimmo handed the personal data of the relevant advertisers to debt-collection agencies.
After complaints from the advertisers, the Hungarian College for the Protection of Personal Data imposed a fine of (the equivalent of) EUR 32.000 for breaching the Hungarian Information Act. However, according to Weltimmo, the Hungarian Information Act did not apply to her because she had no branch situated in Hungary and was located in Slovakia herself.
Next, the Court rejected these arguments. Given the right to respect for personal privacy and the prevention of any form of law evasion, the Court considered that any form of genuine and actual sustainable activity can already qualify as a ´branch´.
In any case, the activities deployed by Weltimmo consisted of the exploitation of one or more real estate sites for real estate located in Hungary, the texts of which were in Hungarian and which demanded payment for the advertisements after the first free month. The Court therefore ruled that this company focuses on the execution of a genuine and actual activity in Hungary (and was thus bound to the Hungarian privacy rules and regulations).
Practical consequences
Until now, processors of personal data assumed that, if one was lawfully established in a certain EU member state, one only needed to comply with the rules and regulations of that particular member state. This present judgement however shows that companies with activities in various EU member states have to comply with the data protection laws of each of these states – even when this activity is very limited. If your company is (minimally) active in several European countries, it is thus important to check to what extent the privacy laws of these countries apply and if these laws are being complied with.
Schremms
A few days after the ruling in the Weltimmo case, the European Court of Justice once again pronounced judgement in a privacy case[2] on October 6 last. In this ruling, the Court declared invalid the so-called “Safe Harbour” agreements between the EU and the US. It is a groundbreaking judgement with (thus far) far-reaching consequences.
Based on European privacy rules and regulations, the transfer of personal data outside the EU is prohibited, unless the third country guarantees an adequate level of protection. The Safe Harbour ruling is an agreement between the European Commission and the US and imposes a number of conditions on the transfer of personal data from the EU to the US. Transfer of personal data to the US was allowed to take place if the particular American company respected the Safe Harbour conditions. On the basis of this agreement, it was possible for many companies – among them Google, Facebook, Microsoft, Apple, Amazon and Twitter – to store data of Europeans in the US.
The data placed on Facebook by users domiciled in Europe are handed on in part or wholly to and stored on Facebook servers in the US, where the data are being processed. On this matter, the Austrian student Schremms lodged a complaint with the Irish privacy supervisor, the Data Protection Commissioner. Schremms argued that the applicable legislation and the practices of the US concerning data protection provided inadequate protection against the surveillance by government agencies of the data transmitted to that country. In support of his arguments, Schremms referred to the revelations by whistleblower Edward Snowden about the online spying activities of American intelligence agencies. The Irish supervisor rejected Schremms´s complaint and pointed to the Safe Harbour ruling, but the European Court of Justice agreed with him and declared the entire Safe Harbour ruling invalid.
The Court is of the opinion that data of Europeans are inadequately protected in the US because US companies are forced in specific situations to ignore the data protection rules and regulations.
Practical consequences
Because of the fact that the Court has declared the Safe Harbour ruling null and void, each transfer from the EU to the US is – based on the ruling – unlawful, by which a much used basis for data processing has been removed. The European Commission is now negotiating with the US to revise the Safe Harbour ruling, but in the meantime another legal foundation for the processing of data in the US has to be looked for. In that context, one can think of explicit agreement by those involved and the use of the ´Decisions on standard contractual clauses for the transfer of personal data to processors in third countries ´ drawn up by the European Commission, in which companies are obliged to provide an appropriate level of protection
Silvie Wertwijn
[2] Zaak C‑362/14, Schrems / Data Protection Commissioner (Digital Rights Ireland Ltd.)
