Facebook Fan page administrators : mind the personal data processing rules

Judgment
C-210/16
05.06.2018
PartiesJurisdictionFormationJudge RapporteurAdvocate GeneralSubject-matter
Preliminary rulingUnabhängiges Landeszentrum für Datenschutz Schleswig-Holstein contre Wirtschaftsakademie Schleswig-Holstein GmbHCourt of JusticeGrand ChamberA.TizzanoY.BotApproximation of legislation
KeywordsReference for a preliminary ruling — Directive 95/46/EC — Personal data — Protection of natural persons with respect to the processing of that data — Order to deactivate a Facebook page (fan page) enabling the collection and processing of certain data of visitors to that page — Article 2(d) — Controller responsible for the processing of personal data — Article 4 — Applicable national law — Article 28 — National supervisory authorities — Powers of intervention of those authorities
Significant pointsIn this preliminary ruling, reference was made by Bundesverwaltungsgericht (Federal Administrative Court, Germany) in a case concerning a company operating in the field of education, the Wirtschaftsakademie, which offers educational services, inter alia, by means of a fan page hosted on Facebook.

A "fan page" can be created by any user of the social network Facebook subject to acceptance of the general terms and conditions of use. The creation of such a page not only makes it possible to edit content, collect personal data and interact with users (as is not possible with a website), but also - and automatically - to benefit from the results of an audience analysis tool, "Facebook insights", developed by Facebook.

If for websites the creation of audience statistics requires an action from the site editor (installation of an audience analysis tool), in the case of a Facebook "fan page", the administrator benefits from this function without any intervention on his part. Statistics are thus generated by the social network independently of the fan page administrator's request. This difference with the situation of the publisher of a website could suggest that only Facebook is the controller for the processing carried out by "Facebook insights", the administrator of the "fan page" not directly carrying out any processing and having no control over the processing carried out by the social network.

By decision of 3 November 2011, the Unabhängiges Landeszentrum für Datenschutz (hereafter “ULD”) Schleswig-Holstein (Independent Data Protection Centre for the Land of Schleswig-Holstein, Germany) ordered Wirtschaftsakademie to de-activate its fan page. The ULD made this order in its capacity as supervisory authority within the meaning of Directive 95/46 on data protection, with the task of supervising the application in the Land of Schleswig-Holstein of the provisions adopted by Germany pursuant to that directive.

The ECJ was called upon to rule upon several points of law which conditioned the application of the Member States' national laws on the protection of personal data, namely the concept of controller and the question of determining the applicable law and competent authority in a situation where the social network has several establishments on the territory of the European Union.

1. Recalling the objective of Article 2(d) of the Directive 95/46 to ensure effective and complete protection of the persons concerned, through a broad definition of the concept of ‘controller’ (following thus the Google Spain reasoning), the Court found that an administrator, such as Wirtschaftsakademie, must be regarded as a controller jointly responsible, within the EU, with Facebook Ireland for the processing of data. Indeed, the administrator of a fan page hosted on Facebook, by creating such a page, gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account (paragraph 35).

The administrator of a fan page hosted on Facebook defines the personal data to be processed by Facebook for the purposes of drawing up statistics. Consequently, such an administrator takes part in the determination of the purposes and means of processing the personal data of the visitors to its fan page (paragraphs 36 and 39).

The Court also emphasises that in case of joint data processing, it is not necessary that each of the controllers has access to the personal data concerned (paragraph 38).

Moreover, fan pages hosted on Facebook can also be visited by persons who are not Facebook users and so do not have a user account on that social network. In that case, the fan page administrator’s responsibility for the processing of the personal data of those persons appears to be even greater, as the mere consultation of the home page by visitors automatically starts the processing of their personal data (paragraph 41).

However, the existence of joint responsibility does not necessarily imply equal responsibility on the various operators involved in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all relevant circumstances of the particular case (paragraph 43).

2. The Court found secondly that the ULD is competent to ensure compliance not only of Wirtschaftsakademie with the rules on the protection of personal data in Germany and can use all the powers conferred by it under national law but also the compliance of Facebook Germany, as a secondary establishment of Facebook Ireland which is responsible for the data protection even though Facebook Germany is, only responsible for promoting and selling advertising spaces. Given that a social network such as Facebook generates a substantial part of its income from adverts posted on the web pages set up and accessed by users and given that Facebook’s establishment in Germany is intended to ensure the promotion and sale in Germany of advertising space that makes Facebook’s services profitable, the activities of that establishment must be regarded as inextricably linked to the processing of personal data at issue in the main proceedings, for which Facebook Inc. is jointly responsible with Facebook Ireland. Consequently, such treatment must be regarded as being carried out in the context of the activities of an establishment of the controller within the meaning of Article 4(1)(a) of the Directive 95/46 (paragraph 60), knowing that that provision does not require that such processing be carried out ‘by’ the establishment concerned itself, but only that it be carried out ‘in the context of the activities of’ the establishment (paragraph 57).

3. The Court found, thirdly, that in the case of a data controller located in another Member State, ULD is, independently of the authority of that Member State, competent to (i) assess whether the data controller has acted lawfully in Germany and (ii) exercise its intervention powers.
NoteworthyThe main contribution of this judgment lies in the broad interpretation given to the notion of ‘controller’. It is, thus, not necessary to technically process personal data. The simple parameterization of the data to be processed is sufficient to qualify the person having carried out this action as "responsible for the processing of personal data". In our view, this definition should also be applicable under the GDPR, which uses the same definition of the notion of ‘controller’ as the one employed in Directive 95/46. It should be stressed that, in the presence of two controllers, Article 26 of the GDPR will have to be applied and that the controllers will have to comply with the formalities set out therein, in particular by jointly and transparently defining the responsibilities of each party. An infringement of Article 26 of the GDPR may lead the authority in charge of the protection of personal data to impose significant penalties (e.g. among others: injunction to comply with the RGPD fine up to an amount of EUR 10 million or 2% of the turnover of the last financial year, injunction to cease temporally or definitively the personal data processing).

The interpretation given by the ECJ to the notion of personal data controller is, in our opinion, very broad. Indeed, it will increase the administrative burden and the liability of the administrator of a fan page on Facebook and on other administrators of similar pages on other social media. And this when these administrators do not have any control over the personal data processing by the social media provider and do not have the possibility to negotiate and discuss with the social media provider, given that the general conditions of use of such pages are not negotiable.

On the other hand, it appears that, on the basis of a preliminary analysis, the two last points developed by the Court are not relevant anymore in the context of the introduction of the new GDPR, as it created a new concept, the lead supervisory authority competent to rule on matters regarding cross-border processing carried out by controllers (Article 56 of the Regulation 2016/679 GDPR).