The European Court of Justice (ECJ) has held than an administrator of a Facebook fan page was a controller, and was therefore jointly responsible with Facebook Ireland for the processing of that data.
Background
- A German company that was a provider of educational services, set up a fan page hosted on Facebook. Through a function called “Facebook Insights”, administrators of the fan page were able to obtain anonymous statistical data on visitors to the page.
- In 2011, the German data protection regulator for the company (ULD) ordered the Company to deactivate the fan page (or face a penalty payment if it failed to comply) on the basis that neither the Company nor Facebook informed visitors to the fan page that, using cookies, Facebook collected personal data about visitors and then processed that data.
- The Company took legal action before the German courts against the regulator’s decision arguing that the processing of personal data by Facebook could not be attributed to the Company and that it had not commissioned Facebook to process data that it controlled or was able to influence. A higher German court then sought an interpretation of a number of issues (also including about jurisdiction) this matter raised under the EU Data Protection Directive and referred the matter to the European Court of Justice for a legal ruling.
- Facebook fan pages are user accounts that can be set up by individuals and businesses. Facebook offers the administrators the opportunity to obtain statistics containing information on the characteristics and habits of the visitors of the page. Facebook compiles these statistics and stores at least one cookie containing a unique ID number, active for two years, on the hard disk of every fan page visitor.
The case before the ECJ raising a number of questions including who was the controller for the purposes of data protection?
Controller
- It was not disputed that Facebook Ireland was a controller
- The referring court had assumed that the Company was not a controller as it had no influence over the manner in which the personal data was processed by Facebook.
- In contrast to the decision of the referring court, the ECJ confirmed that the Company was also a controller and therefore jointly responsible for the processing of the personal data. It was responsible for determining the purposes and means by which Facebook Ireland processed the personal data of those visiting the page.
- Even though the platform was hosted by Facebook Ireland, the Company was benefitting from the fan page and was subject to the obligations of the EU Data Protection Directive
- The court also emphasised that fan pages hosted on Facebook can also be visited by persons who are not Facebook users and therefor do not have a user account on the social network (nor have they agreed to Facebook’s terms and conditions). In that case, it was suggested that the fan page administrator’s responsibility for the processing of the personal data of these persons is even greater, as by merely visiting the page this automatically engages the processing of their personal data.
Comment
Although this case was decided under the EU Data Protection Directive which is no longer in force, it may well be that the same interpretation would be applied under the EU General Data Protection Regulation (GDPR) which has now superseded the Directive. Article 26 of the GDPR also contains specific provisions for joint controllers.
This case confirms that an administrator of a fan page hosted on a social network can be considered a “controller” of personal data and highlights the need to have suitable privacy notices in place setting out how processing (including the use of cookies) will occur.
The ECJ’s ruling also suggests that any organisation that has an influence over how personal data is processed could be considered a data controller, not just in the context of Facebook fan pages (or other social media sites). Organisations should consider whether under this definition they are in fact data controllers and ensure that they are compliant with the relevant GDPR provisions.
Beverley Flynn