Facebook Fan Pages and Widening Responsibility for Data Processing

June 4, 2018

In Case C-210/16 Unabhängiges
Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein
GmbH
, the Court of Justice of the European Union has held that the
administrator of a fan page on Facebook is jointly responsible with Facebook
for the processing of data of visitors to the page. It goes on to determine a
jurisdictional question and rules that the data protection authority of the
Member State in which the administrator has its seat may, under the (now
repealed) Data Protection Directive (Directive 95/46/EC), act both against the
administrator and against the Facebook subsidiary established in that Member
State.

The decision is based on the Data Protection Directive but,
notwithstanding the changes to data protection law made by the GDPR, remains of
real interest. It is worth remembering that many data protection cases remain
to be resolved after 25 May. Moreover, the CJEU’s views here undoubtedly reflect a
determination to see more control over Facebook-related activities at a local
level and that has an ongoing significance.

What follows is based on a Curia press release; the judgment
is now available in English here 

Facts

The German company Wirtschaftsakademie Schleswig-Holstein
operates in the field of education. It offers educational services inter alia
by means of a ‘fan page’ hosted on Facebook at the address
www.facebook.com/wirtschaftsakademie. The CJEU used the term ‘fan page’ to
cover user accounts that can be set up on Facebook by individuals or businesses,
where the author of the fan page, after registering with Facebook, can use the
platform designed by Facebook to introduce himself to the users of that social
network and to persons visiting the fan page, and to post any kind of
communication in the media and opinion market.

Administrators of fan pages, such as Wirtschaftsakademie,
can obtain anonymous statistical data on visitors to the fan pages via a
function called ‘Facebook Insights’ which Facebook makes available to them free
of charge under non-negotiable conditions of use. The data is collected by
means of evidence files (‘cookies’), each containing a unique user code, which
are active for two years and are stored by Facebook on the hard disk of the
computer or on another device of visitors to the fan page. The user code, which
can be matched with the connection data of users registered on Facebook, is
collected and processed when the fan pages are opened.

In 2011, the relevant supervisory authority, Unabhängiges
Landeszentrum für Datenschutz SchleswigHolstein (Independent Data Protection
Centre for the Land of Schleswig-Holstein, Germany), ordered
Wirtschaftsakademie to deactivate its fan page. According to the Unabhängiges
Landeszentrum, neither Wirtschaftsakademie nor Facebook informed visitors to
the fan page that Facebook, by means of cookies, collected personal data
concerning them and then processed the data.

Wirtschaftsakademie brought an action against that decision
before the German administrative courts, arguing that the processing of
personal data by Facebook could not be attributed to it, and that it had not
commissioned Facebook to process data that it controlled or was able to
influence. Wirtschaftsakademie concluded that the Unabhängiges Landeszentrum
should have acted directly against Facebook instead of against it.

The Bundesverwaltungsgericht (Federal Administrative Court,
Germany) referred the issue to the CJEU

Judgment

Processing

The Court of Justice observed that it was not disputed that
the American company Facebook and, for the EU, its Irish subsidiary Facebook
Ireland must be regarded as ‘controllers’ responsible for processing the
personal data of Facebook users and persons visiting the fan pages hosted on
Facebook. Those companies primarily determine the purposes and means of
processing that data. The Court went on to find that an administrator such as
Wirtschaftsakademie must be regarded as a controller jointly responsible,
within the EU, with Facebook Ireland for the processing of that data.

Such an administrator takes part, by its definition of
parameters (depending in particular on its target audience and the objectives
of manging or promoting its own activities), in the determination of the
purposes and means of processing the personal data of the visitors to its fan
page. In particular, the Court notes that the administrator of the fan page can
ask for demographic data (in anonymised form) – and thereby request the
processing of that data – concerning its target audience (including trends in
terms of age, sex, relationships and occupations), information on the
lifestyles and centres of interests of the target audience (including
information on the purchases and online purchasing habits of visitors to its
page, and the categories of goods or services that appeal the most) and
geographical data, telling the fan page administrator where to make special
offers and organise events and more generally enabling it to target best the
information it offers.

According to the Court, the fact that an administrator of a
fan page uses the platform provided by Facebook in order to benefit from the
associated services cannot exempt it from compliance with its obligations
concerning the protection of personal data. The Court states that the
recognition of joint responsibility of the operator of the social network and
the administrator of a fan page hosted on that network in relation to the
processing of the personal data of visitors to that fan page contributes to
ensuring more complete protection of the rights of persons visiting a fan page,
in accordance with the requirements of the Data Protection Directive.

Jurisdiction

The Court found that the Unabhängiges Landeszentrum is
competent, for the purpose of ensuring compliance in German territory with the
rules on the protection of personal data, to exercise with respect not only to
Wirtschaftsakademie but also to Facebook Ireland all the powers conferred on it
under the national provisions transposing the Data Protection Directive.

Where an undertaking established outside the EU (such as the
American company Facebook) has several establishments in different Member
States, the supervisory authority of a Member State is entitled to exercise the
powers conferred on it by the Data Protection Directive with respect to an
establishment of that undertaking in the territory of that Member State even
if, as a result of the division of tasks within the group, first, that
establishment (in the present case, Facebook Germany) is responsible solely for
the sale of advertising space and other marketing activities in the territory
of the Member State concerned and, second, exclusive responsibility for
collecting and processing personal data belongs, for the entire territory of
the EU, to an establishment situated in another Member State (in this case,
Facebook Ireland).

The Court further states that, where the supervisory
authority of a Member State intends to exercise with respect to an entity
established in the territory of that Member State the powers of intervention
provided for in Article 28(3) of the Directive on the ground of infringements
of the rules on the protection of personal data committed by a third party
responsible for the processing of that data whose seat is in another Member
State, that supervisory authority is competent to assess, independently of the
supervisory authority of the other Member State, the lawfulness of such data
processing and may exercise its powers of intervention with respect to the
entity established in its territory without first calling on the supervisory
authority of the other Member State to intervene.