Facebook page administrator also (partly?) responsible for observing privacy law

On 5 June 2018, the Court of Justice of the European Union gave an important ruling on the interpretation of privacy law. The reason for the ruling was a question about Facebook pages, but the judgment is actually relevant for all parties who process personal data. In particular the balanced comment regarding the division of responsibility is worth noting.

Article | 08 June 2018 | Mark Jansen

On 5 June 2018, the Court of Justice of the European Union gave an important ruling on the interpretation of privacy law. The reason for the ruling was a question about Facebook pages, but the judgment is actually relevant for all parties who process personal data. In particular the balanced comment regarding the division of responsibility is worth noting.

Background

The reason for the ruling was the enforcement action by one of the German supervisory bodies.

Wirtschaftsakademie is an institution in Germany offering educational services by means of a fan page on Facebook.

The ULD (Independent Data Protection Centre for the Land of Schleswig-Holstein, Germany) had ordered Wirtschaftsakademie to deactivate its Facebook page as visitors were not (correctly) informed that all manner of data would be collected when visiting the page (including via the use of cookies).

Wirtschaftsakademie disputed the enforcement by, inter alia, arguing that it was not responsible at all for this data collection. The ULD would have to turn to Facebook for this.

The question ended up at the Court of Justice via a so-called “preliminary question”.

Court: in view of the objective of the directive the term controller must be interpreted broadly

The Court notes first of all that the objective of the privacy directive is to ensure a high degree of protection (legal ground 26). This means that the term controller must be interpreted broadly (legal ground 27), as otherwise no effective and complete protection of privacy is possible (legal ground 28).

The Court clearly keeps the objective of privacy protection in the back of its mind when interpreting terms. If the term controller were to be interpreted narrowly, then the rules of the privacy directive would no longer apply.

Court: the controller can be several parties

In legal ground 29, the Court points out that according to the definition, a “controller” does not necessarily have to be one party. It is quite possible to have several controllers, who then are all subject to privacy law.

The GDPR already expressly allows for this, as a distinction is made between the controller and joint controllers (article 26 GDPR).

Court: a page administrator can determine the purpose of the processing and is therefore a joint controller

In the considerations that follow, the Court observes that the page administrator can influence the processing of personal data. After all, the administrator decides:

• the settings of the page, partly dependent on target audience and objectives;
• the filters to be set for statistics;
• to receive demographic data about the users of the page on request;
• to concentrate advertisements/promotions on the demographic characteristics of visitors to the page.

The administrator determines, or at any rate influences, therefore which data Facebook processes. This makes the administrator a joint controller (legal ground 39).

Court: it is not relevant that statistics are anonymised

It is noteworthy that the Court explicitly considers that it is not relevant that the page administrator only receives anonymised statistics (legal ground 38). The Court considers that joint responsibility does not require “each of them to have access to the personal data concerned”.

The fact that the platform actually dictates the restrictions/possibilities is also not relevant according to the Court (legal ground 40).

Court: extra care is required for non-Facebook members

The Court emphasises that the responsibility in respect of non-members of Facebook is “even greater” (legal ground 41).

It is unclear what the Court actually means by this. It possibly means that through their membership, Facebook users already have different expectations as regards privacy than non-members. But that is not stated however. So this remains guesswork.

Court: joint responsibility must however be assessed in a balanced manner

Legal ground 43 sets out an important qualification by the Court: joint responsibility does not mean that all parties are equally responsible.

The Court rules that “the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case”. Just above that the Court notes that the relevant parties “may be involved at different stages of that processing of personal data and to different degrees”.

That seems a reasonable legal rule. It does leave the question as to what this means in practice. It appears as though the page administrator can put forward the defence: “although I am formally the controller, in practical terms I have little or no influence on the personal data being processed so my liability is therefore also (virtually) nil.” It is a case of wait and see as to whether this is indeed the correct interpretation and how this doctrine is going to develop in case law.

Other considerations on powers of the supervisory bodies in international context

In the rest of the judgment, the Court addresses questions about which law applies and which supervisory body is competent in international issues. Crudely stated, the Court sticks to the line already following from the Weltimmo and Google Spain cases. I will not address this further in this blog if only because the GDPR makes very different choices in respect of this subject matter.

Final comment

The ruling of the Court is important for privacy law. A party processing personal data or who influences the processing by another party is quickly (jointly) responsible for this processing. Hiding behind any (technical) limitations is not possible.

It does however appear that the degree of responsibility depends on the degree of actual influence. Remarkably, hiding behind any (technical) limitations may be possible in this second step. In my view this is not unreasonable and also not very surprising: elsewhere in law the question is also always whether, and if so to what extent, particular conduct can be attributed to a party.

However, things are not getting any easier for Facebook page administrators. The Dutch Data Protection Authority is authorised to take action against those administrators. The administrators are effectively totally stuck (apart from removing the page); the contract with Facebook is after all a ‘take it or leave it’ contract.

And precisely for this reason, the job of the Dutch Data Protection Authority is also not getting any easier either. It must expressly include the above-mentioned defence of the page administrator in its assessment. After all the Court emphasises that “the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case”.

So this will mean either pursuing this to the highest court, or nothing will change at all for the moment. We will keep an eye on it.

The ruling by the Court does however confirm once more that it is important to come to proper contractual agreements on the processing of personal data. Particularly if you don’t fancy taking it ‘to the highest court’. If you have any questions, please do not hesitate to contact us.