The Court Justice of the European Union recently held that the administrator of a Facebook fan page is jointly responsible with Facebook for the processing of data of visitors to the page.
As set forth in a June 5 ,2018 press release, the German company Wirtschaftsakademie Schleswig-Holstein operates in the field of education. It offers educational services by means of a fan page hosted on Facebook. Fan pages are user accounts that can be set up on Facebook by individuals or businesses. To do so, the author of the fan page, after registering with Facebook, can use the platform designed by Facebook to introduce himself to the users of that social network and to persons visiting the fan page, and to post any kind of communication in the media and opinion market.
Administrators of fan pages, such as Wirtschaftsakademie, can obtain anonymous statistical data on visitors to the fan pages via a function called “Facebook Insights” which Facebook makes available to them free of charge under non-negotiable conditions of use. The data is collected by means of evidence files (“cookies”), each containing a unique user code, which are active for two years and are stored by Facebook on the hard disk of the computer or on another device of visitors to the fan page. The user code, which can be matched with the connection data of users registered on Facebook, is collected and processed when the fan pages are opened.
By decision of 3 November 2011, the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (Independent Data Protection Centre for the Land of Schleswig-Holstein, Germany), as supervisory authority within the meaning of Directive 95/46 on data protection, with the task of supervising the application in the Land of Schleswig-Holstein of the provisions adopted by Germany pursuant to that directive, ordered Wirtschaftsakademie to deactivate its fan page.
According to the Unabhängiges Landeszentrum, neither Wirtschaftsakademie nor Facebook informed visitors to the fan page that Facebook, by means of cookies, collected personal data concerning them and then processed the data.
Wirtschaftsakademie brought an action against that decision before the German administrative courts, arguing that the processing of personal data by Facebook could not be attributed to it, and that it had not commissioned Facebook to process data that it controlled or was able to influence.
Wirtschaftsakademie concluded that the Unabhängiges Landeszentrum should have acted directly against Facebook instead of against it.
It is in that context that the Bundesverwaltungsgericht (Federal Administrative Court, Germany) asked the Court of Justice to interpret Directive 95/46 on data protection.
In its judgment, the Court of Justice observed that it is not disputed that Facebook (U.S.) and, for the EU, its Irish subsidiary Facebook Ireland must be regarded as “controllers” responsible for processing the personal data of Facebook users and persons visiting the fan pages hosted on Facebook. Those companies primarily determine the purposes and means of processing that data.
The Court found that an administrator such as Wirtschaftsakademie must be regarded as a controller jointly responsible, within the EU, with Facebook Ireland for the processing of that data.
The Court further found that such an administrator takes part, by its definition of parameters (depending in particular on its target audience and the objectives of managing or promoting its own activities), in the determination of the purposes and means of processing the personal data of the visitors to its fan page.
In particular, the Court noted that the administrator of the fan page can ask for demographic data (in anonymized form) – and thereby request the processing of that data – concerning its target audience (including trends in terms of age, sex, relationships and occupations), information on the lifestyles and centers of interests of the target audience (including information on the purchases and online purchasing habits of visitors to its page, and the categories of goods or services that appeal the most) and geographical data, telling the fan page administrator where to make special offers and organize events and more generally enabling it to target best the information it offers.
According to the Court, the fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data.
The Court stated that the recognition of joint responsibility of the operator of the social network and the administrator of a fan page hosted on that network in relation to the processing of the personal data of visitors to that fan page contributes to ensuring more complete protection of the rights of persons visiting a fan page, in accordance with the requirements of Directive 95/46 on data protection.
In addition, the Court found that the Unabhängiges Landeszentrum is competent, for the purpose of ensuring compliance in German territory with the rules on the protection of personal data, to exercise with respect not only to Wirtschaftsakademie but also to Facebook Ireland all the powers conferred on it under the national provisions transposing Directive 95/46.
“Where an undertaking established outside the EU (such as Facebook) has several establishments in different Member States, the supervisory authority of a Member State is entitled to exercise the powers conferred on it by Directive 95/463 with respect to an establishment of that undertaking in the territory of that Member State even if, as a result of the division of tasks within the group, first, that establishment (in the present case, Facebook Germany) is responsible solely for the sale of advertising space and other marketing activities in the territory of the Member State concerned and, second, exclusive responsibility for collecting and processing personal data belongs, for the entire territory of the EU, to an establishment situated in another Member State (in this case, Facebook Ireland).”
The Court further stated that, where the supervisory authority of a Member State (in this case, the Unabhängiges Landeszentrum in Germany) intends to exercise with respect to an entity established in the territory of that Member State (in this case, Wirtschaftsakademie) the powers of intervention provided for in Directive 95/46,4 on the ground of infringements of the rules on the protection of personal data committed by a third party responsible for the processing of that data whose seat is in another Member State (in this case, Facebook Ireland), that supervisory authority is competent to assess, independently of the supervisory authority of the other Member State (Ireland), the lawfulness of such data processing and may exercise its powers of intervention with respect to the entity established in its territory without first calling on the supervisory authority of the other Member State to intervene.
The full text of the judgment can be seen, here.
Contact an FTC defense lawyer to discuss emerging privacy and data security law compliance trends that impact the online advertising sector. You can visit the author’s website at https://ftcdefenselawyer.com/ftc-defense-lawyer/
Richard B. Newman is a regulatory litigation, FTC investigations and advertising compliance attorney at Hinch Newman LLP. Follow him on LinkedIn.
ADVERTISING MATERIAL. Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777.