Summary: The Court of Justice of the EU (the “CJEU”) has ruled that administrators of ‘fan pages’ on Facebook are controllers jointly (with Facebook) of the personal data that is processed about visitors to the fan pages. This also indicates that receiving only anonymised, statistical information – which a recipient cannot link to particular individuals - does not necessarily preclude an organisation from being a “controller” under EU data protection law.
The case concerned a German educational services provider, Wirtschaftsakademie Schleswig-Holstein (“WSH”), which operates a Facebook fan page. The regional German Data Protection Authority (the “ULD”) ordered WSH to deactivate its fan page on the grounds that its operation was unlawful. The ULD noted that neither WSH nor Facebook informed visitors to the fan page that a cookie with a unique ID would be dropped on their devices, enabling Facebook to match visitor activity against registered Facebook users (and therefore identify them) and that the cookies were active for 2 years. WSH appealed against this to the German administrative court, arguing that it was not responsible under data protection law for the processing of the personal data by Facebook or the cookies dropped. By a series of appeals, the matter reached the CJEU and in the usual way that court was asked to rule on a set of questions, including whether a party in WSH’s position should properly be considered a controller or not as defined by the EU Data Protection Directive (Directive 95/46/EC) (the “DP Directive”).
Fan pages are user accounts that can be set up on Facebook by individuals or businesses; once set up, the administrator of a fan page can receive anonymous statistical information about the page visitors via a function called ‘Facebook Insights’. The process of creating a fan page allows the administrator to customise and pre-select what demographic data should be included in the Facebook Insights reports the administrator receives about the fan page, e.g. age, sex, occupation, online purchasing habits. The reports can be used by an administrator to decide where to make special offers and where to organise events and more generally enable it to make the information it offers most relevant to visiting ‘fans’.
Under the DP Directive an organisation will be considered a “controller” of personal data if it (alone or jointly) determines the purposes and means of the processing of the personal data. It is clear from this definition that more than one organisation can be considered a “controller” of the same processing of personal data.
The CJEU ruling (available here) confirmed (uncontroversially) that Facebook was a controller of the personal data processed about its users and visitors to any ‘fan pages’ hosted on its platform.
The more surprising aspect of the CJEU’s decision was that WSH must be categorised as a controller of the personal data processed about visitors to its fan page because, as administrator, it was taking part in the processing, determining the purposes and means of processing of the personal data of the visitors, (in particular by defining parameters depending on its target audience and objectives for promoting its activities). The fact that WSH was using a platform provided by Facebook in order to benefit from the associated services, in particular, Facebook Insights, could not exempt it from compliance with its data protection obligations. The CJEU also noted that individuals who were not Facebook users would also receive a cookie if they viewed the fan page and that, in those cases, the administrator’s responsibility appeared even greater.
The CJEU was applying the DP Directive, which was replaced on 25 May 2018 by the EU General Data Protection Regulation (the “GDPR”). The definition of “controller” is unchanged in the GDPR and so this ruling will be relevant for organisations seeking to comply with the new regulation who may inadvertently find themselves joint controllers of personal data even though they do not have access to the personal data concerned. That could arise where a party, like WSH, finds itself with the ability to direct or agree with a third party controller how personal data are processed.
This judgment touches on the question of what it means to be “joint controllers” - a concept set to become more critical under the GDPR. The CJEU also points out that joint responsibility does not necessarily imply equal responsibility. Article 26 of the GDPR defines “joint controllers” as controllers which jointly determine the purposes and means of processing and requires them to determine in a transparent manner what their respective responsibilities are, and data subjects are entitled to be told the essence of those arrangements. In any event, whatever the arrangement between joint controllers, a data subject is entitled to exercise their rights against each of the joint controllers. All these factors look set to make an appropriate allocation of responsibilities in a written “joint controller” agreement all the more important for the future.