Judgment on June 5, 2018 with fundamental importance for companies in Europe. According to the CJEU decision, operators of fan pages on Facebook are jointly responsible with Facebook for the processing by Facebook of personal data of visitors to the fan page. The decision, which was still made under the old law, nevertheless has a direct effect on the liability of companies that are operating fan pages on Facebook and is also expected to have an impact on the responsibility of users of other platforms and services.
The proceedings were initiated by a November 3, 2011 order of the Independent Data Protection Center for Schleswig-Holstein (ULD) by which the supervisory authority had prohibited a private educational provider, Wirtschaftsakademie Schleswig-Holstein GmbH, from operating a Facebook fan page. The ULD held that data processing by Facebook was unlawful and also argued that neither Wirtschaftsakademie nor Facebook had notified data subjects about the data processing. The dispute went all the way to the Federal Administrative Court, which, in its view, referred a number of questions of relevance to the CJEU for a preliminary ruling. Two of the questions referred dealt with the possible responsibility of the site operator, the other questions concerned the competence of the German supervisory authorities and their adherence to decisions of the Irish supervisory authority.
According to the CJEU, operators of fan pages obtain anonymous statistical information on visitors to the fan pages via a function called “Facebook Insights”. Facebook collects the information for these statistics by means of cookies, which are stored on the user’s end devices for two years. Operators of fan pages can manage settings on Facebook which target audience they primarily want to address (e.g., data in terms of age, sex, occupation, centers of interest) and (jointly) control who is addressed and whose data is processed. In the CJEU’s view (para. 39), this possibility of control establishes the joint responsibility of the operator, because the administrator of a fan page hosted on Facebook is taking part in the determination of the purposes and means of processing the personal data. The operator cannot completely deactivate the analysis function, however.
The judgement remains unspecific as to whether the described control function alone leads to the site operator‘s joint responsibility or whether joint responsibility exists even where no such control option is given. The CJEU starts its considerations with a reference to the fact that the administrator of a fan page gives Facebook the option to place cookies on the computer or other device by creating such a page (para. 35). The CJEU expressly does not rule on whether this alone is sufficient to establish joint responsibility, although the Federal Administrative Court had also formulated a concrete question on the selection responsibility of page operators.
The CJEU further states that there does not necessarily have to be an equal responsibility between Facebook and the operator of the fan page (para. 43), but that the level of responsibility in different stages and for different degrees of processing can be quite different. Due to the joint and several liability of joint data controllers under the GDPR, however, claims can generally be asserted against each of the joint controllers, meaning that claims may be asserted in full against operators of fan pages for data collection by Facebook according to the CJEU judgement.
Although the judgement was issued on the basis of the EU Data Protection Directive of 1995 (Directive 95/46/EC) and not on the basis of the General Data Protection Regulation (GDPR), it is also of key importance in application of the GDPR, since the term of “controller” was adopted virtually unchanged from the Data Protection Directive into the GDPR. Accordingly, the arguments of the CJEU on the (joint) responsibility of the operator of a fan page can also be applied to the current legal situation.
The GDPR provides that joint controllers under Art. 26 GDPR enter into a contract of joint responsibility that governs, among other things, who assumes concrete obligations towards the data subjects. In addition, all obligations under the GDPR apply to controllers directly, so that the operators of fan pages must also meet the information duties according to Art. 13, 14 GDPR to data subjects and must comply with requests for information from data subjects.
In its application, the CJEU ruling is not limited to the operation of Facebook fan pages. Rather, the judgement represents a fundamental decision on the concept of the data controller and the scope of joint responsibility. When using platforms and services that are not used by way of order processing, it must therefore be assessed on an individual basis whether, according to the CJEU judgement, joint responsibility of the user with the operator of the service or platform is to be presumed. In any case, if users have control options for the data collection by the provider, joint responsibility will have to be assessed and considered in the future.
Experience with the CJEU‘s Safe Harbor ruling suggests that immediate fines by supervisory authorities are unlikely. Rather, it is to be expected that the supervisory authorities will first give companies the opportunity to adapt their use of fan pages and other services to the requirements now formulated by the CJEU. Competitors and consumer protection associations are more likely to pose an acute threat by way of warnings. Whether and how Facebook has reacted to the decision is unknown to date. If Facebook fails to offer any solutions (contract on joint responsibility, transparency in data processing) in the short term, deactivation of the fan pages will have to be considered. Irrespective thereof, an assessment of the other services and platforms not used as part of order processing is recommended, at least where evaluations of user behavior or comparable data surveys of users are carried out. This may also affect tools and trackers on company websites.
Update June 7, 2018