The Weltimmo decision (Weltimmo) handed down by the European Court of Justice (ECJ) on 1 October was largely glossed over in the press on account of the attention which the Safe Harbour ruling made by the same court on 6 October last garnered.
Weltimmo however sets a precedent which means that companies that conduct business activities in a number of different EU Member States may need to consider how such activities will be viewed by data protection regulators in each of those Member States.
Weltimmo concerned a Slovakian company running a website which advertised properties in Hungary. Complaints were made against the company by users of the website to the Hungarian data protection regulator who then imposed a fine on Weltimmo for breach of Hungarian data protection law. Weltimmo appealed the fine and the matter found itself before the Hungarian Supreme Court.
The Supreme Court subsequently referred to the ECJ on points of EU law. The ECJ ruled that the EU Data Protection Directive allows a data protection regulator in one EU Member State to apply its national data protection law when dealing with an organisation which is based in a different EU Member State. The key issue in the ECJ's ruling came down to an organisation's"establishment" in another EU Member State. The ECJ ruled that on the facts in Weltimmo, the company although registered and for the most part based in Slovakia, was deemed to also be “established” in Hungary. As such the Hungarian data protection regulator could deal with the complaints it had received under Hungarian data protection law.
This decision has the potential to increase compliance costs for companies carrying out business activities in numerous EU Member States on account of the fact that such companies now appear to be subject to a number of different data protection regulators.
European data protection law is changing rapidly before our eyes and companies operating in the EU will need to keep on their toes in order to comply.
Before the judgment, companies such as Facebook which choose to headquarter their European operations in one country, such as Ireland, were thought to be subject to regulation only within that country. The companies could then operate in any EU member state without having to gain regulatory approval in each country.