Professor Lorna Woods,
University of Essex
Facts of the Case
Many
businesses rely on Facebook to support their business using a Facebook fanpage
(which requires a specific registration with Facebook) and the
Wirtschaftsakademie is one such. In this case, it received a notice from the
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, a regional
data-protection authority in Schleswig-Holstein (‘ULD’), to deactivate the
fanpage. The ULD argued that the people coming to the page were not warned that
their personal data would be collected by Facebook by means of cookies placed
on the visitors’ hard disks.
For
the person running the fanpage, the advantage of using it is the receipt of
(anonymous) statistics on site use from Facebook via
a tool called ‘Facebook Insights’, a tool which is available free of charge
under the standard, non-negotiable terms of use. For Facebook, it allows the
acquisition of data to facilitate profiling for the purposes of delivering
targetted adverts. The Wirtschaftsakademie challenged the ULD’s order, arguing
that it was not responsible for the processing of data by Facebook. A number of
questions were referred to the Court of Justice on the interpretation of the Data
Protection Directive (Directive 95/46, the DPD), focussing on the questions
of:
-
who was responsible for the data (ie who is a
controller);
-
which regulatory authority might take action;
and if so,
-
whether it would be constrained by the opinions
as to the legality of the processing of other competent supervisory
authorities.
The Advocate-General
took
the view that both the Wirtschaftsakademie and Facebook were controllers
and, although Facebook was established in Ireland, following the approach of
the Court to jurisdiction in Google Spain and Google (Case C-131/12, discussed here),
Facebook’s activities had to be assessed in the light of its activities in
Germany. ULD could thus bring the
enforcement action. In a judgment of the
5th June 2018, the Court of Justice came to the same conclusion.
The Judgment
The
Court construed the first two questions referred (on Articles 2(d) and 17 DPD)
as asking whether the choice of Facebook as a means of reaching its audience means
that a user so doing is responsible for the data processing. The Court, drawing on the approach in GoogleSpain and emphasising the aim of
the DPD being to protect privacy, re-iterated that the concept of “controller”
should be interpreted broadly, especially as the definition of “controller”
foresees the possibility of joint controllers. Certainly Facebook determines
the purposes and means of processing, thus bringing it within the meaning of
“controller”. As regards the Wirtschaftakademie, the Court stated that mere use
of the network would not make a user a controller, but that the use of fanpages
involves more engagement with Facebook, and that engagement influences whose
data is collected by Facebook (on the fanpage).
Although the statistics are transmitted to the fanpage administrator in
anonymous form,
“Directive 95/46 does not, where
several operators are jointly responsible for the same processing, require each
of them to have access to the personal data concerned” (para 38).
Whilst
Facebook might bear the most responsibility for processing, the Court also
noted that where the fanpage is visited by those who do not have a Facebook
account (and have therefore not signed up to Facebook’s terms),
“the fan page administrator’s
responsibility for the processing of the personal data of those persons appears
to be even greater, as the mere consultation of the home page by visitors
automatically starts the processing of their personal data” (para 41).
Concurring
with the opinion of the Advocate General, the Court accepted that joint
responsibility was not the same as equal responsibility – responsibility should
be assessed on the basis of the case in hand (para 43). The consequences of this for the supervisory
authority - or the co-controllers - are not, however, drawn out.
The
Court grouped questions 3 and 4 together to ask, where a non-EU company had
multiple EU establishments, which regulator(s) would have the power to act
(under Article 28(3) DPD). As had been
noted in Weltimmo (Case C-230/14,
discussed here),
the supervisory authority’s powers are, in general, limited to its own
territory. Reading Article 28 DPD in the
light of Article 4(1) DPD, the Court stated that:
“where the national law of the
Member State of the supervisory authority is applicable under Article 4(1)(a)
of the directive because the processing in question is carried out in the
context of the activities of an establishment of the controller in the
territory of that Member State, that supervisory authority can exercise all the
powers conferred on it by that law in respect of that establishment, regardless
of whether the controller also has establishments in other Member States” (para
52).
The
question then becomes whether the controller satisfies the double test in
Article 4(1) – that is, (1) whether the controller has an establishment in the
member State in which the supervisory authority is based; and (2) whether the processing is carried out ‘in
the context of the activities’ of the establishment. Re-iterating Weltimmo, the Court stated that:
“establishment in the territory of
a Member State implies the effective and real exercise of activity through
stable arrangements, and the legal form of such an establishment, whether
simply a branch or a subsidiary with a legal personality, is not the
determining factor” (para 54).
Facebook
maintains an office in Germany through Facebook Germany; the processing need
not be by the controller itself but in the context of its activities – a phrase
not to be interpreted narrowly (as already established in Weltimmo and Google Spain).
The Court noted that the placing of the cookies and the following analysis of
the resulting data was intended to enable Facebook to improve its system of
advertising by better targetting its commercial communications; in developing
this argument the Court expressly adopted the reasoning of the Advocate
General. It concluded that ULD was thus competent to intervene.
The
Court further held, in dealing with questions 5 and 6, that the determination
of lawfulness is for each supervisory authority to undertake as an independent
body. The obligation on supervisory
authorities to cooperate with one another does not attribute priority to the
views of one supervisory authority over another, nor require a supervisory
authority to comply with views expressed by another (para 69-70).
Comments
This
case was significant: it determined the power of the supervisory authorities
and their respective rights to disagree.
It also cast the net widely as regards the meaning of controller, and as
a consequence the personal scope of the DPD, with implications for the practice
of tracking and behavioural profiling.
It may be less easy to get content providers to use these platforms if
they come with a potentially hefty liability price-tag – though as noted the
extent of differential responsibility in this context is not yet known. The
ruling made clear that the mere possibility of taking measures against Facebook
in Ireland, or a decision by the Irish supervisory authority not to institute
measures, would not prevent measures being taken against a jointly responsible
local controller who administers a Facebook Page. Following the ECJ’s ruling, the German data
protection authorities have issued guidance as to what users of Facebook
fanpages must do to comply with the law (see here
and here).
Nonetheless,
some are questioning the case’s long-term significance. The case referred to the DPD; the General
Data Protection Regulation (GDPR) is now in force. To what extent is this
decision then just a history lesson? The
GDPR did not entirely do away with concepts used in the DPD, so insofar as the
GDPR refers to “controller” it would seem that that term should be interpreted
in the light of this case; likewise the GDPR expressly envisages the
possibility of joint controllers.
Perhaps
the big change is the introduction of the one-stop shop mechanism with the
GDPR. Although the GDPR general approach
in Article 55 GDPR to national supervisory jurisdiction is based on Article
28(6) DPD, Article 56 GDPR aims to ensure that a multi-jurisdictional
controller deals principally with one regulator. The one-stop shop mechanism is
not, however, quite as simple as that.
There are exclusions from and exceptions to this principle (see Article
55(2) and Article 56(2)), as well as mechanisms to ensure that the various
national supervisory authorities keep broadly in line with one another. Thus multiple regulators (from the
perspective of service providers such as Facebook) remain a possibility. Article
56(2) provides for a supervisory authority other than the lead supervisory
authority to seek jurisdiction. The circumstances in which this could arise are
in relation to complaints made by individuals to it; or in relation to possible
infringements if they either concern only the local establishment, or substantially
affect data subjects only in the local Member State. In this context, a supervisory authority
might take the view that a fanpage targets data subjects in its particular
territory.
Whether
or not these would affect Facebook’s ability to deal with just one regulator is
one question but what has not yet been considered is the impact going forward
on any co-controller. The GDPR is silent
on how jurisdiction is to be assigned in cases where there are joint
controllers. The Article 29 Working
Party Guidelines,
which have been adopted by the
European Data Protection Board (EDPB), suggest that the joint controllers
should designate the main establishment.
Whether
this would be appropriate in the context of unequal bargaining power between
the joint controllers – as in the case of Facebook and its users – is
uncertain. If Facebook designated as part of its terms of use that the relevant
supervisory authority were to be the Irish Information Commissioner, this would
mean that the weaker party could be subject to regulation from a ‘foreign’
regulator – perhaps in another language. This may be more difficult for an
individual or small business to deal with than for a multinational
company. This issue has yet to be
directly addressed. In sum, it could be
argued that the move the GDPR does nothing to remove the exposure to liability
which might become a disincentive to businesses which see a fanpage as a
low-cost option to continue to use fanpages (and similar platforms).
We
might ask, moreover, is it just Facebook fanpages that would be affected by
thie Court’s reasoning. There is a
pending case on the installation of like buttons, which again allow tracking,
(see Fashion
ID GmbH & Co.KG v Verbraucherzentrale NRW eV (Case
C-40/17)) but we might ask the question more broadly. What for example would be
the position of Google analytics being run on a site? There are many examples
where deals between supplier and customer include personal data of those
engaging with the customer, without those persons necessarily being aware of
it, or having a choice in the matter. A business which signs up to Office 365
may agree to default consents to monitoring of email, diary and contact details
of its employees. Would this make the employer a joint controller with
Microsoft? It seems likely that there
will be more cases on this – or similar questions – as we move into GDPR
territory.
Photo
credit: 77reviews.com
No comments:
Post a Comment