tadamichi - Fotolia

Facebook ruling not only landmark data protection case in Europe, say experts

A landmark ruling against Slovakia-based website Weltimmo could impact the Max Schrems case against Facebook and new European data protection rules currently being finalised

On the eve of a highly anticipated landmark ruling by Europe’s top court, legal experts say another landmark privacy ruling has been largely overlooked.

On 6 October 2015, the European Court of Justice (ECJ) is set to rule in the case against the Irish data protection commissioner and Facebook brought by Austrian privacy campaigner Max Schrems.

The ruling could have profound implications for high-tech relationships between the US and the European Union (EU), potentially scuppering the safe harbour agreement, which provides a means for US companies to transfer personal data from the EU to the US.

However, on 1 October 2015, the ECJ’s ruling on data protection legislation in the case against Slovakia-based property site Weltimmo will have far reaching implications for tech giants processing data in Europe, including Facebook and Google, say legal experts.

The case was brought by the Hungarian data protection authority against Weltimmo, which operates a property advertising service in Hungary.

Advertisers complained to Hungary’s data protection authority after Weltimmo failed to comply with requests to take down the ads, while continuing to charge for the service.

When payments were not made, Weltimmo transferred personal data to a debt collection agency, attracting a €32,000 fine for contravening Hungarian data protection laws. When Weltimmo refused to pay, the Hungarian data protection authority took the case to the ECJ.

According to the ruling in favour of the Hungarian data protection authority, companies that have websites translated into another language – targeting consumers of European member states – may now have to comply with the regulations in each individual member state.

The ruling has changed the face of data protection for companies operating across multiple EU jurisdictions, particularly those who are consumer facing, according to Ashley Winton, UK head of data protection and privacy at international law firm Paul Hastings.

Previously, European laws allowed multinational businesses with operations in Europe to only be subject to the data protection laws of the European country in which they are based.

This was to the benefit of many companies, such as Facebook, that elected to create an establishment in the UK or Ireland, where data protection laws and practices are more liberal and arguably more business friendly. 

But according to Winton, the ruling in the Weltimmo case dramatically increases compliance costs – particularly where a website is targeted at multiple member states – and makes the company subject to multiple data protection authorities.

“We expect this case will be welcomed by data protection authorities and, as a result, social media and e-commerce multinationals will need to urgently consider their European data protection compliance strategies. With the appetite for enforcement high across a number of member states, the repercussions for non-compliance could be huge,” he said.

The Weltimmo ruling could give national data protection authorities more power to enforce local rules, and legal experts believe it is likely to impact the Max Schrems case against Facebook.

The ruling could also influence new rules governing the one-stop-shop approach to regulation across Europe that are currently being finalised in a “trilogue” between the European Commission, the European parliament and the Council of the European ministers.

Read more about new EU data protection legislation

  • The EU is working hard to achieve a unified law on data ethics and privacy, but companies should look beyond just complying with the law to gain consumer trust.
  • The last phase of negotiation is set to begin to write the final text of the latest European General Data Protection Regulation.
  • The European Parliament, Council and Commission finalise negotiations to enact the European Union General Data Protection Regulation.
  • European digital businesses say the GDPR text agreed by the EU Council of Ministers is a draconian, blunt instrument that threatens to hobble online advertising.

Read more on Privacy and data protection