Plans for a single market have been delivered yet another blow, this time as a result of an ECJ preliminary ruling against a relatively unknown Slovakian company. The court ruled in Weltimmo SRO v. Nemzeti Adatvedelmi es Informacioszabadsag Hatosag, that national data protection authorities (DPAs) may take action against businesses that target residents in their Member State, even if the businesses are not registered in that state.

The ruling is significant for the ‘one stop-shop’ provisions currently being negotiated as part of the General Data Protection Regulation (‘GDPR’). In an earlier blog, we explained that the European Council endorsed the ‘one-stop-shop’ approach, so that in the future, organisations will only need to deal with the DPA having jurisdiction over the location of its EU headquarters, or EU location with delegated data protection responsibility.  The decision in Weltimmo says otherwise: an organisation will be subject to the authority of the DPA if it has an ‘establishment’ within the jurisdiction of the DPA. With the GDPR expected to be finalised later this year, it will be interesting to see how this ruling will be reconciled with the GDPR.
Continue Reading Another day…another set-back for Europe’s plans for a single market

Advocate General Yves Bot today delivered an opinion recommending that the European Court of Justice (ECJ) find the U.S.-EU Safe Harbor Program invalid. His opinion, while non-binding, relates to a request for a preliminary ruling referred to the ECJ by the High Court of Ireland, Irish Court in Schrems v. Data Protection Commissioner, (ECJ, No. C362/14, 23 Sept 2015).

In light Edward Snowden’s disclosures of systematic monitoring of communications by the U.S government, Maximillian Schrems, an Austrian citizen, complained to the Irish Data Protection Commissioner. When the Irish Data Protection Authority did not investigate, Schrems brought an action in the Irish courts challenging that decision.

The Advocate General’s Opinion sets out two significant recommendations.

  1. EU Member States’ national data protection (DPA) authorities must be able to investigate complaints that call into question the level of protection ensured by a third country, such as the United States, and be able to suspend transfers of personal data if the DPA considers the transfer to undermine individuals’ protections.
  2. Commission Decision 2000/520/EC, which found transfers of personal data to the U.S. under the Safe Harbor Program provided an adequate level of protection for transfers of personal data under Article 26 of the EU Data Protective Directive 95/46/EC, should be declared invalid as Safe Harbour cannot ensure an adequate level of protection.

Continue Reading Safe Harbor Invalid! Will the ECJ follow the Advocate General recommendation?

The European Courts of Justice (ECJ) ruled in the case of Institut professionel des agents immobiliers (IPI) v. Englebert, E.C.J No. C 473/12, 11/07/13) that EU member states have the option, but not an obligation, to transpose the list of exceptions provided under Article 13 of the EU Data Protection Directive 95/46/EC, which allows