On the 5 of June 2018, the Court of Justice of the European Union (CJEU) in Case C-201/16 judged that the Administrator of a Facebook’s Fan Pages is jointly responsible with Facebook for its processing of personal data of the visitors of the page.
This judgment is important since it determines the data protection responsibilities of an organisation using this type of services and platforms. Thus, this article aims to provide you with the main details of the case, the scope of judgment and how it should be analysed.
Useful? Embed this infographic on your website.
THE FACTS OF THE CASE:
- The Supervisory Authority for the Land of Schleswig-Holstein, Germany (“SA”) ordered Wirtschaftsakademie Schleswig-Holstein, a German company (“Wirtschaftsakademie”), to deactivate its Fan Page because the visitors are not informed of the use of cookies placed by Facebook, by which their personal data is collected and processed.
- Wirtschaftsakademie refused to close it’s Fan Page, and brought the case to the German administrative authorities, primarily arguing that it can not be responsible for the collection and processing of personal data done by Facebook, that it did not even request.
- The German Federal Administrative Court of Justice decided to stay the proceedings and to refer several questions to the CJEU for a preliminary ruling. The questions mainly focus on the following points: (i) the responsibilities of an Administrator of a Fan Page concerning the protection of personal data; and, (ii) the competence and independence of the supervisory authority of each Member State.
THE OUTCOME OF THE CASE
On the 5 June 2018, the CJEU provided its judgment. The following are the key points:
- Regardless that the Administrator did not request statistical information and only receive it in an anonymous format. The Administrator contributes to the processing of the personal data of visitors to its page by: (i) defining its parameters – target audience and the objectives of managing of promoting its own activities- in the determination of the purposes and means of processing the personal data of the visitors to its Fan Page; and, (ii) giving the opportunity to Facebook to place cookies on the computer or other devices of a person visiting its Fan Page, whether or not that person has a Facebook account.
- The Administrator of a Fan Page must be regarded as a controller jointly responsible, within the EU, with Facebook for the processing of that personal data, to ensure complete protection of the rights of persons visiting the Fan Page.
- The SA of each member state is competent to ensure compliance in its territory with the rules on the protection of personal data.
- The SA of each member state is competent to asses, independently of an SA of another member state about the lawfulness of such data processing; and hence, may exercise its powers of intervention within its territory without first calling on the SA of another member state to pronounce.
THE VALUE OF A PRELIMINARY RULING
A preliminary ruling is a procedure, by which a national court may (and in some cases – must) refer an issue of interpretation of EU law to the CJEU. The CJEU’s ruling is binding on the court that submits the reference; yet note that the EU law does not have a doctrine of binding precedent such as the entertained in common law countries. So in theory, it is binding only on the national court that submitted the question and other courts in the same domestic procedure. Nevertheless, other national courts interpreting EU law should take them into account when tackling a similar issue.
The CJEU’s preliminary ruling decision is final, meaning not subject to appeal; thus, the only resource available is for the national courts or other courts on the same proceedings to submit a new question to clarify the previous answer or to indicate a new perspective on the issue.
Finally, the CJEU does not decide the dispute itself. It is for the national courts or tribunals to decide in line with the CJEU ruling.
HOW THIS AFFECTS BUSINESSES?
- Joint controllers – the organisation and Facebook- shall in a transparent manner determine their respective responsibilities by means of an arrangement, the essence of it shall be available to the data subjects, and also they should designate a point of contact for them.
- As a Data Controller, the organisation can be held liable by the data subjects for the entire damage; regardless, that the responsibility of the data controllers may be different.
- Regarding fines, a breach on the principles of processing (Art. 5 GDPR) and data subject’s rights (Art.12 to 22 GDPR) result in the higher fines that can be imposed by the Supervisory Authority of the Member State –20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
- In addition, to the imposition of a fine, the Supervisory Authority can also order corrective measures, such as the suspension of the data processing –e.g., close of the Fan Page.
- This ruling should be considered in similar cases such as when the organisation uses third-party services –e.g., Chat tools, web analytical tools, social plugins and, platforms –e.g., LinkedIn, Twitter, Instagram; since in all these situations, the organisation would be defining the parameters and facilitating the collection of personal data by third-parties, hence acting as a joint controller.
Jessica Lam
Latest posts by Jessica Lam (see all)
- Processing Personal Data - March 30, 2021
- What is Privacy? - February 25, 2021
- What is Privacy Engineering? - January 14, 2021