Michael Hirth
Promoting business in today’s social media driven economy demands that companies have a presence on platforms such as Twitter, LinkedIn or Facebook. Thus, communicating via business accounts implies processing customers’ data. Under new GDPR provisions, who is liable for the use of an audience’s information? The social media platform or the administrator of the account? The Court of Justice of the European Union (‘CJEU’) replied to this question on 5 June 2018[1], by holding administrators of a Facebook fan page jointly responsible with Facebook. Facebook reacted to the decision with a ‘Page Insights Controller Addendum’[2] – however, is operating a fan page for businesses really safe?
Inside Facebook’s processed data
Companies (or private persons) that set up a special user account for their business on Facebook create a Facebook page, commonly known as a ‘Fan page’, where they can introduce their business and post information.[3] Setting up this page implies becoming administrator of said page and use of a range of tools for analysing and configuring collected data. In particular, by using a tool called ‘Facebook Insights’, administrators collect anonymous statistical data about visitors to their page.[4] This data is acquired through the information Facebook collects via evidence files (‘cookies’), which contain a unique ID number that is stored on the hard disk of the user’s computer.[5] The use of these insights enables administrators to ask for demographic data, as well as information on the lifestyles and interests of the target audience; and to consequently take part in the processing of the audience’s data.[6]
Processing data and liability under the General Data Protection Regulation (‘GDPR’)
GDPR aims to protect the processing of personal data and to determine therefore the entities that can be held liable. A key role in this context are entities that can be identified as the ‘controller’, a body which, ‘alone or jointly with others, determines the purposes and means of the processing of personal data’[7]. Controllers are the entities held responsible when data processing infringements are committed, hence being identified as such is a sensitive issue. Their identification depends moreover not only on their capability to determine the purposes of the processed personal data, but also on their supervising authority when data is processed across borders. Cross-border processing of data was also one of the emerging issues in the Case brought before the CJEU on 5 June 2018[8]: In fact, Facebook designated its subsidiary, Facebook Ireland, internally as ‘the party responsible for all data processing activities within the territory of the EU’[9]. The question that was brought before the Court questioned this decision by arguing that another subsidiary, Facebook Germany, should be held liable for infringements within German territory and under German law.[10]
Key issues and the Court’s response
As far as the application of national law is concerned, the Court found that German national law is applicable, as the controller has a presence in that Member State. The Court nonetheless also confirmed Facebook’s decision to designate Facebook Ireland as the competent party in stating, in the line of the GDPR[11], that the supervisory authority from one Member State, as long as it acts as ‘main establishment’, exercises the role of controller in cases of cross-border data processing.
The core question in this case was about whether page administrators, although external to Facebook as social network operators, can be considered as controllers and therefore held responsible for processing data in connection with their page. In its decision, the CJEU found page administrators help determine the purpose of the visitor’s personal processed data, mostly by defining the page’s parameters.[12] Furthermore, the Court stated that ‘the administrator of a fan page hosted on Facebook, by creating such a page, gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account.’[13] For these reasons, the CJEU concluded that administrators must also be considered controllers, though jointly with Facebook.[14]
Although the Court’s intention was to relativise this burden of responsibility for millions of page administrators, in stating that ‘joint controllers’ does not signify equal responsibility[15] (‘operators may be involved at different stages of the processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of a particular case’[16]), as ramifications on business would be considerable. Indeed, were the CJEU’s decision taken literally, should companies delete their pages to be sure to avoid transgressing data protection provisions? Certainly not, especially after Facebook reacted to the judgement by proposing an agreement about primary responsibility regarding fulfilling data protection obligations: the ‘Page Insights Controller Addendum’.
[1] Case C-210/16, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH [2018]
[2] www.facebook.com/legal/terms/page_controller_addendum [11th October 2018]
[3] Nicolas Blanc, Wirtschaftsakademie Schleswig-Holstein: Towards a Joint Responsibility of Facebook Fan Page Administrators for Infringements to European Data Protection Law?, 4 Eur. Data Prot. L. Rev, 2018, p.120
[4]Court of Justice of the European Union, The administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data of visitors to the page [Press release No 81/18] Luxembourg, 5th June 2018
available online: https://curia.europa.eu/jcms/upload/docs/application/pdf/2018-06/cp180081en.pdf [11.10.2018]
[5] Nicolas Blanc, ibid. p. 120
[6] Court of Justice of the European Union, ibid.
[7] Art. 4 GDPR
[8] Case C-210/16, ibid.
[9] Nicolas Blanc, ibid. p. 121
[10] Nicolas Blanc, ibid. p. 121
[11] GDPR art. 55 and 56
[12] Court of Justice of the European Union, ibid.
[13] Case C-210/16, ibid.
[14] Court of Justice of the European Union, ibid.
[15] XPAN Law Group, Are You a Joint Controller with Facebook? The CJEU’s Judgment in Case C-210/16, 2018
available on: https://xpanlawgroup.com/are-you-a-joint-controller-with-facebook-the-cjeus-judgment-in-case-c-210-16/ [11.10.2018]
[16] The CJEU’s Judgment in Case C-210/16, 2018 available on: https://xpanlawgroup.com/are-you-a-joint-controller-with-facebook-the-cjeus-judgment-in-case-c-210-16/ [11.10.2018]
XLNC MAGAZINE | No. 02 | November 2018