Lorna Woods, Professor of Internet Law, University of Essex
Who is responsible for data
protection law compliance on Facebook fan sites? That issue is analysed in a
recent opinion
of an ECJ Advocate-General, in the case of Wirtschaftsakademie
(full title: Unabhängiges Landeszentrum
für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein
GmbH, in the presence of Facebook Ireland Ltd, Vertreter des Bundesinteresses
beim Bundesverwaltungsgericht).
This case is one more in a line
of cases dealing specifically with the jurisdiction of national data protection
supervisory authorities, a line of reasoning which seems to operate separately
from the Brussels I Recast Regulation,
which concerns jurisdiction of courts
over civil and commercial disputes.
While this is an Advocate-General’s opinion, and therefore not binding
on the Court, if followed by the Court it would consolidates the Court’s prior broad
interpretation of the Data
Protection Directive. While this
might be the headline, it is worth considering a perhaps overlooked element of
the data-economy: the role of the content provider in providing individuals
whose data is harvested.
Facts
Wirtschaftsakademie set up a ‘fan
page’ on Facebook. The data protection
authority in Schleswig-Holstein sought the deactivation of the fan page on the
basis that visitors to the fan page were not warned that their personal data
would be collected by the by means of cookies placed on the visitor’s hard
disk. The purpose of that data collection was twofold: to compile viewing
statistics for the administrator of the fan page; and to enable Facebook to
target advertisements at each visitor by tracking the visitors’ web browsing
habits, otherwise known as behavioural advertising. Such activity must comply with the Data
Protection Directive (DPD) (as implemented in the various Member States). While the content attracting visitors was
that of Wirtshaftsakademie, it relied on Facebook for data collection and
analysis. It is here that a number of preliminary questions arise:
-
Who is the controller for the purposes of the
data protection regime;
-
Which is the applicable national law; and
-
The scope of the national supervisory
authority’s regulatory competence?
Opinion
Controller
The referring court had assumed
that Wirtschaftsakademie was not a controller as it had no influence, in law or
in fact, over the manner in which the personal data was processed by Facebook,
and the fact that Wirtschaftsakademie had recourse to analytical tools for its
own purposes does not change this [para 28]. Advocate General Bot, however,
disagreed with this assessment, arguing that Wirtschaftsakademie was a joint
controller for the purposes of the DPD – a possibility for which Article 2(d)
DPD makes explicit provision (paras 42, 51, 52]. The Advocate General accepted that while the
system was designed by Facebook so as to facilitate a data-driven business
model and Wirtschaftsakademie was principally a user of the social network
[para 53]. The Advocate General highlighted that without the participation of
Wirtschaftsakademie the data processing in respect of the visitors to
Wirtschaftsakademie could not occur; and he could end that processing by
closing the relevant fan page down. In sum:
Inasmuch as he
agrees to the means and purposes of the processing of personal data, as
predefined by Facebook, a fan page administrator must be regarded as having
participated in the determination of those means and purposes. [para 56]
Advocate General Bot further
suggested that the use of the various filters included in the analytical tools
provided meant that the user had a direct impact on how data was processed by
Facebook. To similar effect, a user can also seek to reach specific audiences,
as defined by the user. As a result, the
user has a controlling role in the acquisition phase of data processing by
Facebook. The Advocate General rejected an formal analysis based on the terms
of the contract concluded by the User and Facebook [para 60] and the fact that
the user may be presented with ‘take it or leave it’ terms, does not affect the
fact that the user may be a controller.
As a final point, the Advocate
General referred to the risk of data protection rules being circumvented,
arguing that:
had the
Wirtschaftsakademie created a website elsewhere than on Facebook and
implemented a tool similar to ‘Facebook Insights’ in order to compile viewing
statistics, it would be regarded as the controller of the processing needed to
compile those statistics [para 65].
A similar approach should be
taken in relation to social media plug ins (such as Facebook’s like button),
which allow Facebook to gather data on third party websites without the
end-user’s consent (see Case C-40/17 Fashion
ID, pending).
Having recognised that joint
responsibility was an important factor in ensuring the protection of rights,
the Advocate General – referring to the approach of the Article 29 Working Party
on data protection – clarified that this did not mean that both parties would
have equal responsibility, but rather their respective responsibility would
vary depending on their involvement at the various stages of processing
activities.
Applicable Law
Facebook is established outside
the EU, but it has a number of EU established subsidiaries: the subsidiary
which has responsibility for data protection is established in Ireland, while
the other subsidiaries have responsibility for the sale of advertising. This raises a number of questions: can the
German supervisory authority exercise its powers and if so, against which
subsidiary?
Applicable law is dealt with in
Article 4 DPD, which refers to the competence of the Member State where the
controller is established but which also envisages the possibility, in the case
of a non-EU parent company, of multiple establishments. The issue comes down to the interpretation of
the phrase from Art. 4(1)(a), ‘in the context of the activities of an
establishment’, which according to Weltimmo
cannot be interpreted restrictively [para 87].
The Advocate General determined that there were two criteria [para 88]:
-
An establishment within the relevant Member
State; and
-
Processing in connection with that
establishment.
Relying on Weltimmo and Verein
für Konsumenteninformation the Advocate General identified factors –
which are based on the general freedom of establishment approach to the
question of establishment looking for real activity through stable arrangements
– the approach is not formalistic. Facebook Germany clearly satisfies these
tests.
Referring to Article
29 Working Party Opinion 8/2010, the Advocate General re-iterated that in
relation to the second criterion, it is context not location that is important.
In Google
Spain, the Court of Justice linked the selling of advertising (in
Spain) to the processing of data (in the US) to hold that the processing was
carried out in the context of the Spanish subsidiary given the economic nexus
between the processing and the advertising revenue. The business set up for Facebook here is the
same, and the fact that there is an Irish office does not change the fact that
the data processing takes place in the context of the German subsidiary. The DPD does not introduce a one-stop shop;
to the contrary, a deliberate choice was made to allow the application of
multiple national legal systems (see Rec 19 DPD), and this approach is
supported by the judgment in Verein für
Konsumenteninformation in relation to Amazon. The system will change with the entry into
force of the General
Data Protection Regulation (GDPR), but the Advocate General proposed that
the Court should not pre-empt the entry into force of that legislation (due May
2018) in its interpretation, as the cooperation mechanism on which it depends
is not yet in place [para 103].
Regulatory Competence
By contrast to Weltimmo, where the supervisory
authority was seeking to impose a fine on a company established in another
Member State, here the supervisory authority would be imposing German law on a
German company. There is a question,
however, as to the addressee of any enforcement measure. On one interpretation,
the German regulator should have the power only to direct compliance on the
company established on its territory, even though that might not be effective.
Alternatively, the DPD could be interpreted so as to allow the German regulator
to direct compliance from Facebook Ireland. Looking at the fundamental role of
controllers, Advocate General Bot suggested that this was the preferred
solution. Article 28(1), (3) and (6) DPD entitle the supervisory authority
of the Member State in which the establishment of the controller is located, by
contrast to the position in Weltimmo,
to exercise its powers of intervention without being required first to call on
the supervisory authority of the Member State in which the controller is
located to exercise its powers.
Comment
The novelty in this Opinion
relates to the first question is significant because the business model
espoused by social media companies depends on the participation of those
providing content, who seem at the moment to take little responsibility for
their actions. The price paid by third
parties (in terms of data) is facilitated by them, allowing them to avoid or
minimise their business costs. Should
there be a consistency of enforcement applications against such users, this may
gradually have an effect on the underlying platform’s business model. While it is harder to regulate mice than
elephants, at least these mice appear to be clearly within the geographic
jurisdiction of the German regulator – and will remain so even when the GDPR is
in force.
The Advocate General went out of
his way to explain that there was no difference between the situation in issue
here and that in the other relevant pending case, Case C-40/17 Fashion ID. This case concerns the choice by a website
provider to embed third party code allowing the collection of data in respect
of visitors in the programming for the website for its own ends (increased
visibility of and thus traffic to the website): the code in question is that
underpinning the Facebook ‘like’ button, but would also presumably include
similar codes from Twitter or Instagram.
If there was any doubt from cases
– for example Weltimmo – about
whether there is a one-stop shop (ie only one possible supervisory authority with
jurisdiction across the EU) in the Data Protection Directive, the Advocate
General expressly refutes this point. In
this context, it seems that this case adds little new, rather elaborating
points of detail based on the precise factual set-up of Facebook operations in
the EU. It seems well-established now that – at least under the DPD - clever
multinational corporate structures cannot funnel data protection compliance
through a chosen national regime.
It may be worth noting also the
broad approach of the Advocate General to Google
Spain when determining whether processing is in the context of activities.
There the Court observed that:
‘in such
circumstances, the activities of the operator of the search engine and those of
its establishment situated in the Member State concerned are inextricably
linked since the activities relating to the advertising space constitute the
means of rendering the search engine at issue economically profitable and that
engine is, at the same time, the means enabling those activities to be
performed [Google Spain, para 56]
Here, the Advocate General
focussed on the fact that social networks such as Facebook generate much of
their revenue from advertisements posted on the web pages set up and accessed
by users and that there is therefore an indissoluble link between the two
activities. Thus it seems that the Google Spain reasoning applies broadly
to many free services paid for by user data, even if third parties – for
example those providing the content on the page visited – are involved
too.
Of course, the GDPR does
introduce a one-stop shop. Arguably therefore these cases are of soon to be
historic interest only. The GDPR
proposes that the regulator in respect of the controller’s main EU
establishment should have lead responsibility for regulation, with regulators
in respect of other Member States being ‘concerned authorities’. There are two points to note: first, there is
a system in place to facilitate the cooperation of the relevant supervisory
authorities Art 60), including possible recourse to a ‘consistency mechanism’
(Art 63 et seq); secondly, the competence of the lead authority to act in
relation to cross-border processing in Article 66 operates without prejudice to
the competence of each national supervisory authority in its own territory set
out in Article 55. The first of these
two points concerns the attempt to limit regulatory arbitrage and a downward
spiral of standards in the GDPR as applied and the broad approach to
establishment. The interest of the recipient state in regulating means that
there may be many cases involving ‘concerned authorities’. The precise implications of the second point
are not clear; note however that it seems that the one-stop shop as regards
Facebook would not stop data protection authorities taking enforcement action
against users such as Wirtschaftsakademie.
Photo credit: Deccan Chronicle
No comments:
Post a Comment