European Court opens up data protection liability – issues for insurers and insureds

Cyber security and data protection remains one of the fastest changing regulatory areas affecting businesses today. Organisations face the combined challenges of heightened scrutiny and enforcement action from regulators, as well as growing scope for liability from civil claims. Courts, both on the national and European levels, are increasingly willing to establish liability in order to protect the rights of individual data subjects – as exemplified in the recent European Court decision of Weltimmo S.R.O. v. Nemzeti Adatvédelmi és Információszabadság Hatóság.

In Weltimmo, a Slovakian registered company marketed a web-based property advertising platform to individuals in Hungary. Over time, a number of these individuals asked that their adverts be taken down. In many cases, Weltimmo failed to take down their adverts and continued to charge for its services. When the individuals concerned refused to pay these charges, Weltimmo passed on their personal data to debt collection agencies. As a result some of the individuals affected complained to the Hungarian data protection authority, which commenced enforcement action and imposed a fine against Weltimmo.

Weltimmo challenged the fine, arguing that the Hungarian authority had no jurisdiction to bring enforcement action against them, as Weltimmo had no registered office in Hungary. The main issue in question was whether Weltimmo, despite having no registered office or branch in Hungary, was “established” in Hungary for the purpose of the Data Protection Directive and, therefore, subject to Hungarian data protection laws.

Despite Weltimmo’s arguments to the contrary, the European Court found that it was established in Hungary. In doing so, the European Court took into account the fact that Weltimmo targeted its marketing at Hungarian individuals, that Weltimmo’s website was written in Hungarian, and that it had both a personal representative and post box in Hungary. These amounted to the carrying out of “real and effective activities” through “stable arrangements”, meaning that Weltimmo was “esblished” in Hungary for the purposes of the Directive.

As a result of the Weltimmo decision, businesses must now effectively comply with the data protection laws of each member state in which they process personal data on a stable basis, even if they have no registered branch or office in that state or, indeed, the rest of the EU. Failure to comply may give rise to civil claims under the data protection laws of those states and enforcement action from that state’s data protection authority. This, of course, has significantly increased the potential scope for liability under the Directive, especially for businesses with a pan-European online presence.

In the insurance context, Weltimmo is likely to have significant implications for both insurers and insureds. Businesses will have to be careful to ensure that their policies provide broad enough cover to extend to all the jurisdictions in which they process personal data. This may be a particular issue for businesses, such as online retailers, that collect personal data across a number of jurisdictions to be stored on one centralised server or system. In the event that a data breach occurs with this system, an insured may be liable under a number of separate national regimes, both in terms of individual claims for compensation and potential penalties by regulators.

Insurers in turn will want to consider carefully how such multiple potential claims will be treated under their respective policies. Businesses may now face a variety of different claims under different legal systems in relation to the same underlying breach. Insurers will want to consider how aggregation will operate for such claims – particularly in respect of the application of any retention and/or limitation amounts under such policies.