In a decision which is making waves, the Court of Justice of the European Union (the “Court”), on 5 June 2018, ruled that administrators of fan pages on social networks may be considered as “joint controllers”, along with the companies responsible for those social networks, regarding the processing of personal data of social network users which may be carried out via those pages.
Though based on the now repealed Data Protection Directive, the similarities between the provisions of the Directive assessed and those found in the GDPR mean that the decision maintains relevance in the current framework.
Administrators of fan pages on Facebook are able to obtain anonymous statistical information on fan page visitors – whether or not these visitors have a Facebook account – by means of the “Facebook Insights” service. This service automatically places “cookies” (i.e., small text files) onto devices used by visitors, containing a unique user code, which can be read and matched to those users by Facebook. The resulting information (which is considered as “personal data”) is used to provide aggregated statistics to fan page administrators, and also to enable Facebook to improve its ability to target advertisements over its network.
The Court’s decision results from the actions of the German supervisory authority for the Land of Schleswig-Holstein, which issued an order against Wirtschaftsakademie Schleswig-Holstein GmbH – an administrator of a Facebook fan page – to deactivate the fan page set up. The reasoning for this order was that neither the administrator nor Facebook informed visitors that this processing would occur. The administrator contested this, essentially maintaining that it should not be considered a controller in relation to processing carried out solely by Facebook. The matter was brought before the German courts, culminating in a referral to the Court of Justice of the European Union.
Advocate-General Bot, in his Opinion, stated that the decision to create and operate a fan page on Facebook is what triggers this data processing, and that administrators can decisively influence the termination of this processing, by deactivating the fan page. The Court noted that merely making use of a social network would not suffice to render the user a joint controller regarding the processing of personal data by that network; however, by creating a fan page and relying on “Facebook Insights”, the administrator effectively enables Facebook’s ability to place cookies on visitors’ devices.
Additionally, “Facebook Insights” allows administrators to define abstract criteria regarding the “target audience” of their fan page, based upon which information will be collected and statistics will be generated (e.g., age, sex, occupation, purchasing habits). As such, the Court held that administrators contribute to determining the purposes of processing of personal data on these visitors, even though they actually receive no “personal data” (but only anonymized, aggregated statistical reports) – this is because, as the Court clarifies, “Directive 95/46 does not, where several operators are jointly responsible for the same processing, require each of them to have access to the personal data concerned [in order to be considered data controllers]”.
In conclusion, the Court stressed that relying on a social network in order to benefit from associated services will not exempt fan page administrators from compliance with their obligations regarding the processing of personal data – in particular, providing adequate information to data subjects.
The Court’s decision highlights that companies must reassess their relationship with social networks, as they may be found to be joint controllers regarding the processing of personal data which is carried out over those social networks, if they somehow enable or contribute to that processing.
Art. 26 of the GDPR requires joint controllers to establish an arrangement, determining their respective responsibilities for compliance with the GDPR. It is expected that social networks will provide means for these arrangements to be established – Facebook has issued a statement on this (available only in German), although concrete measures taken are still unknown.
In the short-term, companies operating fan pages on Facebook (or in similar situations on other social networks) should consider the following:
- Reaching out to the social network in order to understand how they intend to handle (1) information requirements to data subjects, and (2) the need for an arrangement under Art. 26 GDPR, allocating responsibilities.
- If all else fails or is not deemed satisfactory, consider deactivating fan pages until further compliance measures are presented by the social network operators.