Professor Lorna Woods, University of Essex
Facts of the Case
Many businesses rely on Facebook to support their business using a Facebook fanpage (which requires a specific registration with Facebook) and the Wirtschaftsakademie is one such. In this case, it received a notice from the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, a regional data-protection authority in Schleswig-Holstein (‘ULD’), to deactivate the fanpage. The ULD argued that the people coming to the page were not warned that their personal data would be collected by Facebook by means of cookies placed on the visitors’ hard disks.
- who was responsible for the data (ie who is a controller);
- which regulatory authority might take action; and if so,
- whether it would be constrained by the opinions as to the legality of the processing of other competent supervisory authorities.
The Advocate-General took the view that both the Wirtschaftsakademie and Facebook were controllers and, although Facebook was established in Ireland, following the approach of the Court to jurisdiction in Google Spain and Google (Case C-131/12, discussed here), Facebook’s activities had to be assessed in the light of its activities in Germany. ULD could thus bring the enforcement action. In a judgment of the 5th June 2018, the Court of Justice came to the same conclusion.
The Court construed the first two questions referred (on Articles 2(d) and 17 DPD) as asking whether the choice of Facebook as a means of reaching its audience means that a user so doing is responsible for the data processing. The Court, drawing on the approach in GoogleSpain and emphasising the aim of the DPD being to protect privacy, re-iterated that the concept of “controller” should be interpreted broadly, especially as the definition of “controller” foresees the possibility of joint controllers. Certainly Facebook determines the purposes and means of processing, thus bringing it within the meaning of “controller”. As regards the Wirtschaftakademie, the Court stated that mere use of the network would not make a user a controller, but that the use of fanpages involves more engagement with Facebook, and that engagement influences whose data is collected by Facebook (on the fanpage). Although the statistics are transmitted to the fanpage administrator in anonymous form,
“Directive 95/46 does not, where several operators are jointly responsible for the same processing, require each of them to have access to the personal data concerned” (para 38).
Whilst Facebook might bear the most responsibility for processing, the Court also noted that where the fanpage is visited by those who do not have a Facebook account (and have therefore not signed up to Facebook’s terms),
“the fan page administrator’s responsibility for the processing of the personal data of those persons appears to be even greater, as the mere consultation of the home page by visitors automatically starts the processing of their personal data” (para 41).
Concurring with the opinion of the Advocate General, the Court accepted that joint responsibility was not the same as equal responsibility – responsibility should be assessed on the basis of the case in hand (para 43). The consequences of this for the supervisory authority - or the co-controllers - are not, however, drawn out.
The Court grouped questions 3 and 4 together to ask, where a non-EU company had multiple EU establishments, which regulator(s) would have the power to act (under Article 28(3) DPD). As had been noted in Weltimmo (Case C-230/14, discussed here), the supervisory authority’s powers are, in general, limited to its own territory. Reading Article 28 DPD in the light of Article 4(1) DPD, the Court stated that:
“where the national law of the Member State of the supervisory authority is applicable under Article 4(1)(a) of the directive because the processing in question is carried out in the context of the activities of an establishment of the controller in the territory of that Member State, that supervisory authority can exercise all the powers conferred on it by that law in respect of that establishment, regardless of whether the controller also has establishments in other Member States” (para 52).
The question then becomes whether the controller satisfies the double test in Article 4(1) – that is, (1) whether the controller has an establishment in the member State in which the supervisory authority is based; and (2) whether the processing is carried out ‘in the context of the activities’ of the establishment. Re-iterating Weltimmo, the Court stated that:
“establishment in the territory of a Member State implies the effective and real exercise of activity through stable arrangements, and the legal form of such an establishment, whether simply a branch or a subsidiary with a legal personality, is not the determining factor” (para 54).
Facebook maintains an office in Germany through Facebook Germany; the processing need not be by the controller itself but in the context of its activities – a phrase not to be interpreted narrowly (as already established in Weltimmo and Google Spain). The Court noted that the placing of the cookies and the following analysis of the resulting data was intended to enable Facebook to improve its system of advertising by better targetting its commercial communications; in developing this argument the Court expressly adopted the reasoning of the Advocate General. It concluded that ULD was thus competent to intervene.
The Court further held, in dealing with questions 5 and 6, that the determination of lawfulness is for each supervisory authority to undertake as an independent body. The obligation on supervisory authorities to cooperate with one another does not attribute priority to the views of one supervisory authority over another, nor require a supervisory authority to comply with views expressed by another (para 69-70).
This case was significant: it determined the power of the supervisory authorities and their respective rights to disagree. It also cast the net widely as regards the meaning of controller, and as a consequence the personal scope of the DPD, with implications for the practice of tracking and behavioural profiling. It may be less easy to get content providers to use these platforms if they come with a potentially hefty liability price-tag – though as noted the extent of differential responsibility in this context is not yet known. The ruling made clear that the mere possibility of taking measures against Facebook in Ireland, or a decision by the Irish supervisory authority not to institute measures, would not prevent measures being taken against a jointly responsible local controller who administers a Facebook Page. Following the ECJ’s ruling, the German data protection authorities have issued guidance as to what users of Facebook fanpages must do to comply with the law (see here and here).
Nonetheless, some are questioning the case’s long-term significance. The case referred to the DPD; the General Data Protection Regulation (GDPR) is now in force. To what extent is this decision then just a history lesson? The GDPR did not entirely do away with concepts used in the DPD, so insofar as the GDPR refers to “controller” it would seem that that term should be interpreted in the light of this case; likewise the GDPR expressly envisages the possibility of joint controllers.
Perhaps the big change is the introduction of the one-stop shop mechanism with the GDPR. Although the GDPR general approach in Article 55 GDPR to national supervisory jurisdiction is based on Article 28(6) DPD, Article 56 GDPR aims to ensure that a multi-jurisdictional controller deals principally with one regulator. The one-stop shop mechanism is not, however, quite as simple as that. There are exclusions from and exceptions to this principle (see Article 55(2) and Article 56(2)), as well as mechanisms to ensure that the various national supervisory authorities keep broadly in line with one another. Thus multiple regulators (from the perspective of service providers such as Facebook) remain a possibility. Article 56(2) provides for a supervisory authority other than the lead supervisory authority to seek jurisdiction. The circumstances in which this could arise are in relation to complaints made by individuals to it; or in relation to possible infringements if they either concern only the local establishment, or substantially affect data subjects only in the local Member State. In this context, a supervisory authority might take the view that a fanpage targets data subjects in its particular territory.
Whether or not these would affect Facebook’s ability to deal with just one regulator is one question but what has not yet been considered is the impact going forward on any co-controller. The GDPR is silent on how jurisdiction is to be assigned in cases where there are joint controllers. The Article 29 Working Party Guidelines, which have been adopted by the European Data Protection Board (EDPB), suggest that the joint controllers should designate the main establishment.
We might ask, moreover, is it just Facebook fanpages that would be affected by thie Court’s reasoning. There is a pending case on the installation of like buttons, which again allow tracking, (see Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV (Case C-40/17)) but we might ask the question more broadly. What for example would be the position of Google analytics being run on a site? There are many examples where deals between supplier and customer include personal data of those engaging with the customer, without those persons necessarily being aware of it, or having a choice in the matter. A business which signs up to Office 365 may agree to default consents to monitoring of email, diary and contact details of its employees. Would this make the employer a joint controller with Microsoft? It seems likely that there will be more cases on this – or similar questions – as we move into GDPR territory.
Photo credit: 77reviews.com