An order issued by the Office of the Data Protection Commissioner for the German state of Schleswig-Holstein (“ULD”), against the administrator of a Facebook Page, has been overruled by a German appeals court. The court has ruled that Facebook, as data controllers, are legally responsible for the personal data of visitors to a Facebook Page.

The Higher Administrative Court of Schleswig-Holstein ruled yesterday that businesses who create and administer Facebook Pages, to connect with clients, customers and potential customers, have no input on the technical and legal aspects of the data processing undertaken by Facebook. The administrators therefore carry no legal responsibility. The administrators currently receive anonymised statistics about Facebook users who visit their page.

The ruling outlines that the ULD does not have the authority to order Facebook Page administrators to deactivate their pages for violations of German data protection law. The Higher Administrative Court confirmed an October 2013 ruling by the Administrative Court of Schleswig-Holstein.

Dr. Thilo Weichert, Independent Centre for Privacy Protection, has stated his disappointment with the ruling, describing it as, “a catastrophe and a setback for data protection”. Dr. Weichert pointed to the fact that the court said that those affected by possible privacy violations should file a complaint against Facebook, however, the court failed to specify if complaints should be filed against Facebook Inc. in the U.S., Facebook Ireland or Facebook Germany.

In Germany, several lawsuits against Facebook Ireland over privacy matters have been rejected by courts who have maintained that as Facebook’s European headquarters is located in Ireland, Irish law applies. A conflicting decision was made last year where a German court ruled that German data protection law does apply to Facebook.

The new EU General Data Protection Regulation (“GDPR”), summarised in a previous post, envisages a “one-stop-shop” approach to enforcement. Subject to GDPR,  EU citizens can go to their national authority for complaints covering breaches anywhere in the EU, while companies need only deal with the authority of their main country of establishment. This decision has given further legal certainty to U.S. multi-national companies operating European headquarters in Dublin.

The issue is one of many facing Helen Dixon in her new role as the Irish Data Protection Commissioner.