Doing business in Europe? Mandatory data protection compliance in every single country

A lot has been written about two recent court cases related to Facebook. The first one is the case of the Austrian student Maximilian Schrems against the Data Protection Commissioner (European Court of Justice, case C-362/14, of 6 October 2015), finding the Safe Harbour arrangement invalid for the transfer of personal data from Europe to the US. The second case is the one by the Belgian privacy commission against Facebook of 9 November 2015 in Brussels. But what is the impact for cross-border ecommerce business in the European Union? Here are three takeaways for every company doing business in Europe, from merchants selling goods or services online in Europe to cloud computing providers, social media platforms and many others.

1. Comply in every single country, or else …

The first clear message from both court cases is that data protection and privacy compliance must be taken seriously, especially when personal data is transferred outside the European Union. Ensuring cross-border compliance with data protection law has become a top priority for data protection authorities and courts all over Europe.

A much-debated issue in the Brussels court was the territorial application of the national data protection legislation and the international jurisdiction of the local courts. Facebook argued that, because Facebook’s European headquarters are in Ireland, only the Irish data protection legislation apply and that only the Irish courts have jurisdiction. The Brussels court disagreed. All international companies with several establishments in the EU must comply with national data privacy laws, and not just with the law of the company’s main European establishment, which was recently confirmed by the CJEU in its Weltimmo judgement (C-230/14). The same goes for companies without any EU establishments, but which make use of so-called 'equipment' located on the territory of several EU member states. Such companies will be subject to the regulatory regime of multiple national data protection authorities.

2. How to transfer data from Europe to the US

In the Schrems case, the Court of Justice of the European Union found that the existence of the European Commission Decision about the so-called 'Safe Harbour' arrangement with the US did not prevent a national data protection authority from investigating individual complaints relating to the transfer of personal data to the US. The CJEU found the Safe Harbour Decision to be invalid. The so-called Article 29 Working Party, the body of representatives which includes representatives from the European Member States' data protection authorities, as well as representatives from the European Commission and the European Data Protection Supervisor, clarified a number of consequences that derived from the decision in the Schrems case. Meanwhile, the European Commission issued a communication on 6 November 2015 as well, with a practical guidance.

What are the practical consequences for (ecommerce) merchants in Europe, cloud computing providers, or social media platforms etc?  

No transfer to the US may be based solely on the invalidated regime. This means that you can only transfer data to the US using the means still allowed. Transfers are only allowed if you:

  • Make use of the Model Contractual Clauses issued by the European Commission and properly notified to the local data protection authority  (in Belgium there is the Privacy commission);
  • Make use of Binding Corporate Rules issued as outlined in the templates drafted by the Article 29 Working Party and again properly notified to the local authorities;
  • There are also exceptions - such as transfer based on consent - but this can only be used in exceptional circumstances and not for systematic transfers to the US.
  • In some EU member states you can make use of your own ad hoc contractual provisions or binding corporate rules which have been properly notified and/or approved according to local legislation;

Note that the Article 29 Working Party has indicated that, for now, the model contractual clauses or the binding corporate rules are still accepted but that they too may be re-evaluated in 2016 if no progress has been made on a political level to come to an acceptable and valid regime for data transfers between the US and the EU. Meanwhile, a new Safe Harbour regime between the US and the EU is expected early 2016. Any new Safe Harbour agreement should include obligations on the necessary oversight of access by public authorities, transparency, proportionality and redress. A new Safe Harbour agreement will probably not mean that the national data protection authorities will suddenly back down.

3. Using social media plug-ins on your company website? 

The owner of a website must properly inform its website visitors of the kind of information he is collecting, the purposes for which it is used, the types of cookies, the social media plug-ins he is using and the duration of storage of the cookie or plug-in on the surfer’s computer. But that is not all. Before activating some types of cookies and plug-ins, the surfer’s prior express consent is needed. Even the mere collection of your visitors’ IP address by using cookies or social plugins is already considered as processing of personal data. 

You can learn more about these topics in the  Web Fraud Prevention, Online Authentication & Digital Identity Market Guide 2015. Please download your free, printable PDF copy by visiting The Paypers Reports section HERE.

For more information or questions contact Edwin Jacobs.