“The administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of visitors to the page.”
That’s the conclusion made this week in a judgment by the Court of Justice of the European Union (CJEU) in Luxembourg.
It concerns a decision passed down in 2011 by the data protection authority of the German state Schleswig-Holstein, ordering German business academy Wirtschaftsakademie to deactivate its Facebook page.
The order was based on a breach of the EU’s Privacy Directive 95/46, a set of rules that has now been replaced with the General Data Protection Regulation (GDPR), which came into full force at the end of May. The Schleswig-Holstein data protection authority (DPA) said that the academy’s Facebook page was in breach because it did not inform visitors that it was using cookies to track them, or that it collected and stored their data.
Wirtschaftsakademie appealed the decision to the German administrative courts. This judgment upholds Schleswig-Holstein’s decision, while adding important detail around the roles of data controller and data processor, distinctions that are outlined in the GDPR but are causing increasing consternation for global leaders in data collection like Facebook and Google.
From the judgment:
The Court finds that an administrator such as Wirtschaftsakademie must be regarded as a controller jointly responsible, within the EU, with Facebook Ireland for the processing of that data.
Such an administrator takes part, by its definition of parameters (depending in particular on its target audience and the objectives of managing or promoting its own activities), in the determination of the purposes and means of processing the personal data of the visitors to its fan page.
This means that page administrators can collect data, but only under certain situations and with consent.
The court noted that admins can ask for anonymized demographic data — with consent — “concerning [the page’s] target audience (including trends in terms of age, sex, relationships and occupations), information on the lifestyles and centres of interests of the target audience (including information on the purchases and online purchasing habits of visitors to its page, and the categories of goods or services that appeal the most) and geographical data, telling the fan page administrator where to make special offers and organise events and more generally enabling it to target best the information it offers.”
Importantly, the court says that the page admin must provide clear communication around its intent and collect consent — in addition to the consent Facebook is required to collect:
According to the Court, the fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data.
The Court states that the recognition of joint responsibility of the operator of the social network and the administrator of a fan page hosted on that network in relation to the processing of the personal data of visitors to that fan page contributes to ensuring more complete protection of the rights of persons visiting a fan page, in accordance with the requirements of Directive 95/46 on data protection.
A Facebook spokesperson said in a statement:
We are disappointed by this ruling. Businesses of all sizes across Europe use internet services like Facebook to reach new customers and grow. While there will be no immediate impact on the people and businesses who use Facebook services, we will work to help our partners understand its implications. We are compliant with applicable European law and as part of our preparations for GDPR, we have further improved our privacy policies, controls and tools to make them clearer.
The ruling may also affect DPAs’ jurisdiction
After the Advocate General of the CJEU issued a similar opinion on the matter in 2017, Eduardo Ustaran, partner in the global privacy and cybersecurity practice at law firm Hogan Lovells, predicted the outcome of this appeal would have far-reaching consequences in a 2017 LinkedIn post.
Crucially, whilst Facebook itself is not a party to the proceedings, the ruling will affect every multinational which — like Facebook — has appointed one of its EU companies as the single controller for all of their European data processing activities.
Ustaran expressed concern in his 2017 post about the potential for local DPAs’ authority to issue decisions that affect companies located in other areas, in this case, Facebook, whose EU representative is in Ireland. He says that this goes against the letter of GDPR’s one-stop shop goal.
Ustaran reiterated that concern in a tweet this week:
How that plays out, we’ll have to wait and see.