The question of the qualification of a fan page administrator as a joint controller was recently settled by the Court of Justice of the European Union (CJEU) in the case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH of June 5th 2018. It held that administrators are joint controllers.
What are joint controllers? Let us recall that controllers are the physical or natural persons which determine the purposes and means of the personal data processing (Article 4 of the General Data Protection Regulation, called the GDPR). The definition of joint controllers flows from the definition of controllers seeing as the former applies to the situation in which “two or more controllers jointly determine the purposes and means of processing” (Article 26 of Regulation n°2016/679).
Before diving into the case, one last point must be examined. The case at hand arose in 2011. It was therefore subject to the EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. It was repealed by the GDPR. However, the terms “controller” and “joint controller” are the same under the Directive and the GDPR.
Mathias Avocats examines the CJEU’s decision and analyses whether the outcome would have been the same under the GDPR.
What are the facts?
Wirtschaftsakademie is a company specialised in education. It uses a Facebook fan page to offer its training services. A Facebook fan page is a business account for a company or an individual which is set up for commercial purposes. It offers specific tools which would otherwise not be available through a Facebook “profile” account.
Indeed, administrators of fan pages can obtain anonymous statistical information on the visitors of the page through the functionality called “Insight”. The latter collects the information through cookies, each containing a unique user code, which will be active for the following 2 years and are stored by Facebook on the hard disk of the computer or any other media of visitors to the fan page. Visitors don’t necessarily have to be Facebook users.
In November 2011, the German supervisory authority – the ULD – ordered the company to de-activate its fan page on the grounds that visitors of said page were not informed of the collection of their personal data through cookies and of their processing. There was thus a violation of the German data protection legislation. Wirtschaftsakademie brought a complaint against the decision arguing that it could not be held responsible for Facebook’s processing and collection of the visitors’ personal data. The ULD disagreed and dismissed the complaint.
The company next brought the case in front of the national Administrative Court. It argued that the processing of personal data could not be attributed to the company and that it did not commission Facebook as understood under German data protection legislation. It thus argued that it was neither a controller neither a joint controller. The Court sided with Wirtschaftsakademie. The ULD appealed to the Higher Administrative Court which once again sided with the company. The case was then brought in front of the Federal Administrative Court which turned to the CJEU for clarifications namely regarding the qualification of joint controller.
What is the CJEU’s ruling?
The German Federal Administrative Court wished to know whether “an entity could be held liable in its capacity as administrator of a fan page on a social network where the rules on the protection of personal data are infringed, because it has chosen to make use of that social network to distribute the information it offers” (paragraph 25 of the CJEU’s decision). In other words, can the administrator of a fan page be considered as a controller?
The Court starts by recalling the broad scope of the term controller and the fact that several actors may fall under the definition of the term under Directive 95/46/EC. Let us underline that the same expansive scope was kept under the GDPR.
It then stated that Facebook must be regarded as a controller seeing as it “primarily determines the purposes and means of processing of personal data of users of Facebook and visitors of fan pages hosted on Facebook”. In this case, the processing carried out by Facebook is the placing of cookies on the device of the visitors of the fan page and the receiving, registration and processing of the information stored in said cookies. Following this understanding, the CJEU concluded that the mere fact of using Facebook does not make the user responsible for Facebook’s processing activities.
However, the Court draws a line between “users” and “administrators” considering the Insight functionality. The latter is limited to administrators of fan pages hosted on Facebook and enables them to have anonymous statistics concerning the people consulting the fan page. This in turn implies a definition of parameters (ex: sex, age, geographic region, occupation, etc.) by the administrator which will have an influence on the personal data processing activities carried out by Facebook. It must be kept in mind that the statistics requested will be anonymous for the administrator of the fan page.
For example, company A creates a fan page for a national football team. When creating the page, it defines the parameters to know the gender, age, geographical region and relationship of the visitors. The information is needed for an advertising campaign of the company’s new merchandise. Facebook will now be able to place the appropriate cookies and collect the information requested on each visitor. The cookies would not have been the same had company A only asked for the gender and geographical region of the visitors of the fan page.
In light of these findings, the CJEU considers that administrators of fan pages hosted on Facebook contribute to the processing of the personal data of visitors to their page. Indeed, the administrator takes part in the determination of the purposes and means of the processing of the visitors’ personal data by defining the parameters of the cookies it enables Facebook to place. Therefore, it ruled that administrators of fan pages are joint controllers.
Nonetheless, the CJEU reminds national courts that the joint controllers may be involved at different stages of the processing activity and to different degrees. As such, their liability should be assessed separately with regard to all the relevant circumstances of the case.
Does the GDPR impact the decision?
As previously said, the case arose in 2011 and was therefore not subject to the GDPR. This however does not imply that the CJEU’s decision is not pertinent under GDPR. Indeed, considering the definitions under both European legislations, it is likely that the CJEU’s decision will remain valid under the GDPR.
This in turn implies that administrators of fan pages may be required to enter into joint controllership agreements with Facebook namely to determine each party’s liability and obligations (Article 26 of the GDPR). The parties would also be required to provide clear, accessible and intelligible information to data subjects regarding the processing activities (Articles 26, 12, 13 and 14 of the GDPR). Both of these rules were not respected in the case examined. If another case were to arise concerning a similar question, it is reasonable to assume that a similar solution will be found.
It should also be underlined that users of social media hold several tools to protect themselves and limit the collection and use of their personal data. The GDPR strengthens their rights and several supervisory authorities have published recommendations concerning social media. For example, the Information Commissioner’s Office (ICO, the supervisory authority in the United Kingdom) published a guidance on the privacy setting on the use of social media and the Commission nationale de l’informatique et des libertés (Cnil, the French supervisory authority) published an article explaining the law and actions to take.
Mathias Avocats remains at your disposal for any questions you may have.