In June 2018 the European Court of Justice’s Grand Chamber decided on a long awaited case regarding the responsibility of the administrators of Facebook fan pages, relating to the personal data of visitors to fan pages. The original dispute started in 2011, discussing whether there is any liability of a private organization running a fan page on Facebook. The case itself was in the regime of Directive 95/46/ES (the “original directive”), however, as the definitions of data controller and data processor are identical in both the original directive and EU General Data Protection Regulation (GDPR) , the conclusions are fully applicable in the current GDPR regime as well.
In the present case, the German Wirtschaftsakademie collected the data of the fan page visitors, using special tools provided by Facebook itself. The administrator of the fan page (i.e. Wirtschaftsakademie) defined the parameters of the fan page via content targeted specifically to its visitors. The special tools from Facebook equip the fan page administrator with demographic data of the visitors (in anonymized form) and therefore the administrator processes such data concerning the target audience, including age, sex, relationship and occupation, information of lifestyle and geographical data. Based on this data, the administrator may make special offers or organize events, which are better targeted to the “right” audience. Just the mere fact, that the tools are provided by Facebook, does not exempt the administrator of the fan page from his responsibility.
The General Advocate Bot issued a related opinion in October 2017, which stated that the fan page administrator and Facebook were joint controllers. The final decision was even more specific in this respect by stating that amount of the responsibility of both joint controllers is different.
The result of this final June decision is that the fan page administrator is a joint controller responsible for that processing within the EU, jointly with Facebook Ireland. However, the amount of their responsibility is different (putting more weight on Facebook). This landmark decision is even more important because it is not just Facebook-related. It also concerns other widely used products and services providing data of a large number of people.
Finally, the court confirmed that the relevant German DPA may also review data processing by Facebook Ireland (being in a different EU member state): “supervisory authority is competent to assess, independently of the supervisory authority of the other Member State (Ireland), the lawfulness of such data processing and may exercise its powers of intervention with respect to the entity established in its territory without first calling on the supervisory authority of the other Member State to intervene.” That is in line with previous ECJ decisions, according to which the internet service providers may be held accountable for data processing not only in the EU country of their corporation but also in the countries to which their operations were “inextricably linked”.
The conclusion of the judgment is clear: administrators of individual pages may no longer avoid their responsibility by simply stating that Facebook fully controls its platform and provides related tools to manage data on fan page visitors. The administrators of such fan pages now have to bear their own share of liability.
The possible liability of administrators is not entirely surprising. For example, the EU data protection authorities, way back in 2009, concluded that social network users are under certain conditions not protected by the “household exemption” from the binding data protection rules and regulations – and have to observe the privacy risks, particularly when working with personal data of users or other non-members. The trend regarding social networks seems to be clear – Establish a (joint) liability of as many (joint) controllers as possible.