On 5 June the European Court of Justice ruled that the administrator of a fan page on Facebook is responsible for the processing of data of visitors to the page – the full judgement can be found here: http://curia.europa.eu/juris/celex.jsf?celex=62016CJ0210&lang1=en&type=TXT&ancre=
What’s this all about?
A German company called Wirtschaftsakademie Schleswig-Holstein offered services in the educational field by means of a fan page hosted on Facebook. Administrators of the fan page can obtain anonymous statistical data on visitors to the fan pages through a function called “Facebook Insights”. The data is collected by cookies, containing a unique user code, which are active for two years and stored by Facebook on a computer’s hard disk or on another device of users registered on Facebook. The user code, which can be matched with the connection data of users registered on Facebook is collected and processed when the fan pages are opened.
In 2011 the German data protection regulator for Schleswig-Holstein (the Independent Data Protection Center for the Land of Schleswig-Holstein) ordered Wirtschaftsakademie to deactivate its fan page (on pain of a penalty payment if it failed to comply) because, according to the regulator, neither the Wirtschaftsakademie nor Facebook informed visitors to the fan page that Facebook collected, through cookies, personal data about visitors and then processed the data.
Wirtschaftsakademie took legal action before the German courts against the regulator’s decision arguing that the processing of personal data by Facebook could not be attributed to Wirtschaftsakademie and that it had not commissioned Facebook to process data that it controlled or was able to influence. Eventually a (higher) German court then sought an interpretation of a number of issues (also including about jurisdiction) this matter raised under the EU Data Protection Directive (95/46) and referred the matter under the preliminary reference procedure to the European Court of Justice for a legal ruling.
What did the European Court rule?
Amongst other issues, the European Court ruled that Facebook (through its Irish subsidiary) was a data controller as regards processing personal data of persons visiting the fan pages and that an administrator like the Wirtschaftsakademie must be regarded as a joint data controller for the processing of that data.
The court said that an administrator takes part “by its definition of parameters depending in particular on its target audience and the objectives of managing and promoting its activities, in the determination of the purposes and means of processing the personal data of the visitors to its fan page.”
The court noted that “In particular, the administrator of the fan page can ask for – and thereby request the processing of – demographic data relating to its target audience, including trends in terms of age, sex, relationship and occupation, information on the lifestyles and centres of interest of the target audience and information on the purchases and online purchasing habits of visitors to its page which tell the fan page administrator where to make special offers and where to organise events, and more generally enable it to target best the information it offers.”
The court said that “While the audience statistics compiled by Facebook are indeed transmitted to the fan page only in anonymized form, it remains the case that the production of those statistics is based on the prior collection, by means of cookies installed by Facebook on the computers or other devices of visitors to that page, and the processing of the personal data of those visitors for such statistical purposes.”
The court also emphasised that “fan pages hosted on Facebook can also be visited by persons who are not Facebook users and so do not have a user account on the social network. In that case, the fan page administrator’s responsibility for the processing of the personal data of those persons appears to be even greater, as the mere consultation of the home page by visitors automatically starts the processing of their personal data.”
The court therefore concluded that “The fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data” and that “the concept of ‘controller’ within the meaning [of the relevant provision of the EU Data Protection Directive] encompasses the administrator of a fan page hosted on a social network”.
Although this case was decided under the EU Data Protection Directive it can be assumed that the same interpretation would be applied under the EU General Data Protection Regulation (GDPR) which has now replaced the directive. It will also be recalled that Article 26 of GDPR makes specific provision for joint controllers (“Where two or more controllers jointly determine the purposes and by means of processing, they shall be joint controllers […] etc.”).
What is the key takeaway?
The key takeaway is that if an organisation is hosting a fan page on social media it will very likely be considered as a joint controller of visitors’ personal data processed there, with all the responsibility and liability that comes with that (under GDPR). Organisations may therefore wish to review their use of their fan pages on social media accordingly.
We write and make films about data protection issues that can be found here: http://www.corderycompliance.com/category/data-protection-privacy/. You can find out more about GDPR in our GDPR FAQs here: http://www.bit.ly/gdprfaqs. We also have a GDPR Navigator subscription service, the details of which can be found here: http://www.bit.ly/gdprnav.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
| Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH | |
| Office: +44 (0)207 075 1784 | Office: +44 (0)207 075 1785 | |
| Jonathan.armstrong@corderycompliance.com | Andre.bywater@corderycompliance.com | |
 |
 |