The Court of Justice of the European Union ("CJEU") has held that the administrator of a fan page hosted by a social network, such as Facebook, may be deemed a "data controller", with joint, if not equal, liability for the processing of personal data (Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd (C-210/16)). The decision has important implications for Facebook and similar platforms, as well as for parties that use such sites for non-personal purposes.
The case concerned a Facebook fan page set up by a German company offering education and training services. The company signed up to the free 'Facebook Insights' tool, accepting anonymous data (viewing statistics), in return for allowing Facebook to collect and store visitors' personal data (via cookies), and to place targeted advertising on the fan page. Crucially, the company did not obtain any personal data but, on the basis that it failed to alert visitors to Facebook's background processing, was ordered by a regional data protection authority to deactivate the page. It maintained that it was not a data controller, and that the order should have been made against Facebook, specifically Facebook Ireland.
There was no question that Facebook Inc (together with Facebook Ireland) was a data controller, but the CJEU held that the company was a joint controller, since it gave Facebook the "opportunity" to place cookies on visitors' devices. In creating a fan page, the Court reasoned, an administrator can use the filters made available by Facebook to set and define the platform's processing parameters, and in that sense "has an influence on" and "contributes to" the processing of personal data, much of which is sensitive. The Court referenced Article 2(d) of EU Directive 95/46/4C (the "Directive"), which expressly provides that a controller is the entity that "alone or jointly with others" determines the purposes and means of processing, and "may concern several actors taking part in that processing, with each of them then being subject to the applicable data protection provisions". It also dismissed the fact that the company had no access to the data in question, where the Directive definition of "data controller" does not require it.
Importantly however, the Court found that joint processing did not necessarily imply equal responsibility: "…those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case."
The CJEU also assessed whether the regional data protection authority was entitled to assess the lawfulness of data processing carried out by Facebook Germany, applying German data protection law. It held that it was, on the basis that 1) Facebook Inc. has a permanent establishment in Germany, namely Facebook Germany; and 2) the processing was carried out "in the context of" the activities of the establishment in question, namely Facebook Germany's activities in promoting and selling advertising space, which are "inextricably linked to the processing of personal data … for which Facebook Inc is jointly responsible with Facebook Ireland". The finding follows on from the decision in Google Spain, and reflects the typically global nature of data processing online. Even companies that process data in only one EU Member State may, depending on their other activities, face action within the EU more widely.
Conclusion and Application
The ruling has potentially far-reaching ramifications for administrators of Facebook and similar pages, who may find themselves subject to punitive action by the relevant data protection authorities for their part in data processing.
It also highlights the importance of privacy notices to explain how and why data is processed, particularly for visitors without a Facebook account, whose data is nevertheless processed by Facebook just by visiting a Facebook page. In that case, the Court found, the administrator's responsibility for processing "appears to be even greater". Accordingly, those using social media for business purposes need to pay particular attention to how and what they explain to users about the use of their data.
Although the decision was made under the Directive, the equivalent provisions under its replacement, the GDPR, appear to be broadly similar. Either way, no doubt the boundaries of the term "data controller", and related concepts, will come under further scrutiny in the near future.