Summary: The Court of Justice of the EU (the “CJEU”) has ruled that the administrators of “fan pages” on Facebook are jointly responsible (together with Facebook) for the personal data processed concerning visitors to fan pages. It also indicates that only receiving anonymised statistical information – which a recipient cannot link to particular individuals – does not necessarily preclude an organization from being a “controller” under EU law. on data protection.
The case concerned a German educational service provider, Wirtschaftsakademie Schleswig-Holstein (“WSH”), which operates a Facebook fanpage. The German regional data protection authority (the “ULD”) ordered WSH to deactivate its fan page on the grounds that its operation was illegal. The ULD noted that neither WSH nor Facebook informed visitors to the fan page that a cookie with a unique identifier would be placed on their devices, allowing Facebook to match visitor activity to registered Facebook users. (and therefore to identify them) and that the cookies were active for 2 years. WSH appealed to the German Administrative Court, arguing that it was not responsible under data protection law for Facebook’s processing of personal data or cookies placed. Through a series of appeals, the case reached the CJEU and, in the usual way, that court was asked to rule on a range of issues, including whether a party in WSH’s position should be considered just title as a data controller or not, as defined by EU data protection law. Directive (Directive 95/46/EC) (the “PD Directive”).
Fan pages are user accounts that can be created on Facebook by individuals or companies; once configured, the administrator of a fan page can receive anonymous statistical information about visitors to the page through a function called ‘Facebook Insights’. The process of creating a fan page allows the admin to customize and pre-select the demographic data to be included in the Facebook Insights reports that the admin receives about the fan page, e.g. age, gender, profession, online shopping habits. Reports can be used by an administrator to decide where to make special offers and where to organize events and more generally allow him to make the information he offers the most relevant for visiting “fans”.
Under the PD Directive, an organization will be considered a “controller” of personal data if it (alone or jointly) determines the purposes and means of the processing of personal data. It is clear from this definition that more than one organization can be considered a “controller” of the same processing of personal data.
The judgment of the CJEU (available here) confirmed (uncontroversially) that Facebook is a data controller of personal data processed about its users and visitors to all “fan pages” hosted on its platform.
The most surprising aspect of the CJEU’s decision was that WSH had to be qualified as the controller of the personal data processed concerning the visitors of its fan page because, as an administrator, it participated in the processing, determining the purposes and means of processing visitors’ personal data, (in particular by defining parameters according to its target audience and the objectives of promoting its activities). The fact that WSH used a platform provided by Facebook in order to benefit from the associated services, in particular Facebook Insights, could not exempt it from compliance with its data protection obligations. The CJEU also noted that people who were not Facebook users would also receive a cookie if they visited the fan page and that in these cases the responsibility of the administrator appeared even greater.
The CJEU applied the PD Directive, which was replaced on 25 May 2018 by the EU General Data Protection Regulation (the “GDPR”). The definition of “controller” is unchanged in the GDPR and this decision will therefore be relevant for organizations seeking to comply with the new regulation who may inadvertently find themselves co-controllers of personal data even if they have not access to the personal data concerned. This could arise where a party, such as WSH, ends up with the ability to direct or agree with a third-party controller how personal data is processed.
This ruling touches on the question of what it means to be “joint controllers” – a concept that is set to become more critical under the GDPR. The CJEU also recalls that cut liability does not necessarily imply equal responsibility. Article 26 of the GDPR defines “joint controllers” as controllers who jointly determine the purposes and means of processing and obliges them to determine in a transparent manner what their respective responsibilities are, and data subjects have the right to be informed of the essence of these provisions. In any case, whatever the arrangement between the joint controllers, a data subject is entitled to exercise his rights against each of the joint controllers. All of these factors seem likely to make an appropriate allocation of responsibilities in a written “joint monitor” agreement all the more important in the future.