On 26 September 2018 (5 CS 18.1157) the Higher Administrative Court in Munich (the Verwaltungsgerichtshof, in short “VGH”) confirmed the ruling of the Administrative Court in Bayreuth and the order of the regulator - the Bavarian Data Protection Supervisory Authority (“BayLDA”). The VGH held that the order for the deletion of data in connection with the Custom Audience service was lawful. The ruling deals with the legal requirements pre-GDPR but also contains a few aspects which may be of relevance for other AdTech services under the GDPR.

Custom Audience – Background and History

The BayLDA had reviewed Facebook’s Custom Audience service in October 2017. In a press release, it then commented on the data protection requirements for the use. The BayLDA had surveyed 40 companies in a Bavaria-wide audit. In the present case, the BayLDA had requested from a website owner - the operator of an online shop - to delete the user list created from his Facebook account.

The case dealt only with the Custom Audience part whereby a “customer list" is being uploaded. Personal data such as email addresses are transferred in hashed form to Facebook for the purpose of matching them with Facebook users and displaying targeted ads to these or a group of other users. This means that the court’s findings do not directly apply to other Custom Audience parts, such as the “via pixel” option.

Custom Audience is not a case of data processing

The VGH states that the hashing of the data does not completely eliminate the personal reference and identifiability. Therefore, Data protection law still applies. The reason, according to the court, is that Facebook's system would still make it possible to assign the hashed information to a user without disproportionate effort. Aside from that, the VGH mentioned that Facebook does not qualify as a data processor in the context of Custom Audience. The court assumes that Facebook has own decision and discretionary authority in determining the means and purposes of the processing, in particular with regard to the users that shall receive ads. The court mentioned, in line with the claimant’s statement, that Facebook would be completely free to carry out the service and evaluate the behaviour of its users.

Consent required for Custom Audience

According to the VGH, the transfer of data to Facebook requires a legal basis which was not given here. In the present case the balancing of interests test would not go in favour of the website owner. In the opinion of the VGH, the transfer of data to Facebook would require the consent of data subject. Since the email addresses were collected in connection with ordering processes of an online shop, it would be possible to obtain the relevant consent for advertising purposes from the data subjects, the court says.

Practical relevance and consequences

Although the decision deals with the requirements under the old German Data Protection law regime it is also relevant for the situation under the GDPR. Consent as a requirement for similar AdTech services could be assessed in a similar way by other German regulators and courts. This being said, it is worth noting that the GDPR mentions marketing as a legitimate interest of the data controller. And the German regulators have issued guidance which acknowledges this. Therefore, it could be argued that consent is not the only legal basis for similar services. Rather, subject to transparent information of the data subjects and compliance with other requirements, the balancing of interests test under the GDPR could be considered.

In terms of other legal requirements it is worth noting that a so called joint controller agreement could be required if a court assumes that both Facebook and the entity using Custom Audience are dictating the means and purposes of processing. Such agreements have been requested by the German regulators following the ECJ’s ruling on Facebook Fanpages (C-210/16). Facebook is now offering relevant terms for its Insights service, called Page Insights Controller Addendum, in light of these developments. They do not apply to other Facebook services by of their preamble though.

Consequently, companies should carefully check whether they have sufficient information to provide to data subjects about the relevant processes before using services such as Custom Audience. Finally, companies should consider whether they can justify a processing of personal data by either the balancing of interests test or if they need to obtain consent.