CJEU’s General Advocate Bot: Administrators of Facebook Fan Pages May Be Held Responsible for the Data Processing Carried out by Facebook
By Katharina Erler
The opinion of Advocate General Bot delivered on 24 October 2017 and issued in relation to case C-210/16 of the Court of Justice of the European Union (CJEU) suggests that administrators of fan pages on the Facebook social network may as controllers under Article 2(d) of the EU Data Protection Directive (95/46/EC) be held responsible for the data processing carried out by Facebook and for the cookies which Facebook installed for that purpose. In particular, the administrator should be regarded as being, along with Facebook Inc. and Facebook Ireland itself, a controller of the personal data that is carried out for the purpose of compiling viewing statistics for that fan page. Furthermore, Advocate General Bot rejected Facebook’s assertion that its EU data processing activities fall solely under the jurisdiction of the Irish Data Protection Commissioner. The related case is Unabhängiges Landeszentrum für Datenschutz v. Wirtschaftsakademie, C-210/16.
Facebook fan pages are user accounts that may be set up by individuals as well as businesses. Administrators may use their fan page to present themselves or their businesses for commercial purposes. Facebook also offers the administrators the opportunity to obtain viewing statistics containing information on the characteristics and habits of the visitors of their fan page. These statistics are compiled by Facebook, which collects data of the visitors via cookies, and then personalized by the fan page administrator using selection criteria. This may help administrators to better craft the communications on their fan pages. To compile these statistics Facebook stores at least one cookie containing a unique ID number, active for two years, on the hard disk of every fan page visitor.
A German company “Wirtschaftsakademie Schleswig-Holstein GmbH”, which provides education and training services via a fan page hosted on the website of the social network Facebook was ordered on November 3, 2011 by a German regional data-protection authority “Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein” to deactivate its fan page. This decision was based on the fact that neither the “Wirtschaftsakademie” as administrator nor Facebook had informed visitors of the fan page that Facebook was collecting and processing their personal data.
After it challenged this order and the data-protection authority again dismissed that objection, the “Wirtschaftsakademie” brought an action before a regional German Administrative Court. It ruled on October 9, 2013, that the administrator of a fan page is not a “controller” within the meaning of the German data protection act and therefore cannot be addressee of an order to deactivate the fan page under § 38(5) of the German data protection act (“BDSG”). The Higher Administrative Court, however, dismissed an appeal of the data-protection authority holding that the prohibition of the data processing was unlawful. According to its ruling this was, because prohibition of data processing under this provision is only possible if it is the only way to end the infringement. Facebook was in that position to end the processing of data, and therefore the “Wirtschaftsakademie” was not a “controller” of data processing under § 38(5) of the German data protection act.
In the appeal proceedings, the German Federal Administrative Court, however, confirmed that ruling by considering that the administrator of a fan page is not a data controller within the meaning of neither § 38(5) of the German data protection act not the Article 2(d) of EU-Directive 95/46/EC. Hence, the Court referred several questions to the CJEU, which – questions (1) and (2) – as a core issue concern the question, whether a body, which is non-controller under Article 2(d) of EU-Directive 95/46/EC may be also the addressee of orders of the supervisory bodies.
It is worth mentioning that in order to rule on the lawfulness of the order in question, the referring courts also asked – in its questions (3) and (4) – about the distribution of powers among the supervisory bodies in cases where a parent company has several establishments throughout the EU. Finally – questions (5) and (6) concern questions regarding the necessary network to coordinate and align the decisions of the supervisory bodies in order to avoid different legal appraisal.
Article 2(d) of EU Data Protection Directive 95/46/EC provides that a ‘controller’ is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law;
Article 17(2) of the EU Data Protection Directive 95/46/EC states that the Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.
Article 24 of the EU Data Protection Directive 95/46/EC states that the Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down the sanctions to be imposed in case of infringement of the provisions adopted pursuant to this Directive.
Article 28(3) of EU Data Protection Directive 95/46/EC stipulates that each authority shall in particular be endowed with: investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties; effective powers of intervention, such as, for example, that of delivering opinions before processing operations are carried out, in accordance with Article 20, and ensuring appropriate publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing, of warning or admonishing the controller, or that of referring the matter to national parliaments or other political institutions; and the power to engage in legal proceedings where the national provisions adopted pursuant to this Directive have been violated or to bring these violations to the attention of the judicial authorities. Decisions by the supervisory authority which give rise to complaints may be appealed through the courts.
Advocate Bot’s assessment of the questions referred to the CJEU
First, Advocate Bot emphasizes that the referred questions do not touch upon the material matter whether the processing of personal data in the case at hand is contrary to the rules of EU-Directive 95/46/EC.
Under the assumption that the administrator of a fan page is not a controller under Article 2(d) of EU-Directive 95/46/EC, the German Federal Administrative Court especially stresses the question whether Article 2(d) may be interpreted as definitively and exhaustively defining the liability for data protection violations or whether scope remains for responsibility for a body with is no controller within the meaning of this article. This leads to the central question, which is pointed out by General Advocate Bot, whether supervisory bodies are permitted by Article 17(2), 24 and Article 28(3) of Directive 95/46/EC to exercise their powers of interventions against such non-controller.
Advocate General Bot, however, considers the underlying premise to be incorrect and clearly emphasizes that, in his opinion, the administrator of a Facebook fan page must be regarded as jointly responsible for the phase of data processing which consists in the collecting by Facebook of personal data. By referring to CJEU’s Google Spain judgment C-131/12 of 13 May 2014, Advocate General Bot, as a starting point, stresses the importance and fundamental role of the controller under the EU Data Protection Directive and its responsibility to ensure the effectiveness of Directive 95/46/EC and its full protection of data subjects. Therefore, and in view of the history of CJEU’s case law, the concept of the “controller” must be given a broad definition. As the “controller” is the person that decides why and how personal data will be processed, this concept leads to responsibility where there is actually influence.
According to Bot, it is, as the designer of the data processing in question, Facebook Inc. alongside Facebook Ireland, which principally decides on the purposes of this data processing as it, especially, developed the economic model containing on one hand the publication of personalized advertisement and on the other hand the compilation of statistics for fan page administrators. Additionally, because Facebook Ireland has been designated by Facebook Inc. as being responsible for the processing of personal data within the European Union and because some or all of the personal data of Facebook’s users who reside in the European Union is transferred to servers belonging to Facebook Inc. that are located in the United States, Facebook Inc. alongside Facebook Ireland are responsible for data processing.
But at this point Bot additionally emphasized that Article 2(d) of Directive 95/46/EC expressly provides the possibility of shared responsibility and that it is also necessary to add to the responsibility of Facebook Inc. alongside Facebook Ireland the responsibility of the fan page administrator. Although Bot recognized that a fan page administrator is first and foremost user of Facebook, he stresses that this does not preclude those administrators from being responsible for the phase of data processing. In his view determination of the “controller” under Article 2(d) means any influence in law or in fact over the purposes and means of data processing, and not carrying out of the data processing itself.
Advocate General Bot argued that (1) fan page administrators by only having recourse to Facebook for the publication of its information subscribe the principle that visitor’s data will be processed. That data processing would (2) also not occur without the prior decision of the administrator to operate a fan page in the Facebook social network. And (3) by, on the one hand, enabling Facebook to better target the advertisement and, on the other hand, acquiring better insight into the profiles of its visitors the administrator at least participates in the determination of the purposes of data processing. These objectives are according to Advocate General Bot closely related which would support the joint responsibility.
Moreover (4) the administrator has as a decisive influence the power to bring that data processing to an end by closing the page down. Finally, Bot argued that (5) the administrator by defining criteria for the compilation of statistics and using filters is able to influence the specific way in which that data processing tool is used. This classification as a “controller” would also neither be contradicted by imbalances in the relationship of strength nor by any interpretation that is based solely on the terms and conditions of the contract concluded by the fan page administrator and Facebook. With reference to CJEU’s case Google Spain, Bot pointed out that it is not necessary to have complete control over data processing. This result and broad interpretation of “controller” would also serve the purpose of effective data protection and prevents the possibility to evade responsibility by agreeing to terms and conditions of a service provider for the purposes of hosting information on their website.
Furthermore, Advocate General Bot established a parallel with CJEU’s decision Fashion ID, C-40/17, where the manager of a website embeds in its website the Facebook Like Button, which, when activated, transmits personal data to Facebook. As to the question of Fashion ID “controlled” this data processing, Bot holds that there is no fundamental difference between those two cases. Finally, the Advocate General clarified that joint responsibility does not imply equal responsibility. The various parties may be involved in the processing of data to different degrees.
It seems surprising that Advocate General Bot simply rejected the premise of the German Federal Administrative Court, instead bringing to the foreground the question on the interpretation of the “controller” under Article 2(d)—even changing the focus of the referred questions. Furthermore, this broad interpretation and the expansion of the fundamental concept of the “controller” might suggest that, if followed by the CJEU, in the future anyone who has any influence on the data processing, especially by just using a service which is associated with data processing, might be held responsible for infringement of data protection law.
With regard to the question of jurisdiction it is worth mentioning that Advocate General Bot especially emphasized that the processing of data in the case at hand consisted of the collection of personal data by means of cookies installed on the computer of visitors to fanpages and specifically intends to enable Facebook to better target its advertisements. Therefore, in line with CJEU’s decision Google Spain and due to effective and immediate application of national rules on data protection and Advocate General Bot holds that this data processing must regarded as taking place in the context of the activities in which Facebook Germany engages in Germany. The fact that the EU head office of the Facebook Inc. is situated in Ireland does not, according to Bot, therefore, prevent the German data protection authority in any way from taking measures against the “Wirtschaftsakademie”. This, however, may be interpreted differently under the upcoming EU’s General Data Protection Regulation (2016/679), which replaces the existing EU Member State data protection laws based on Directive 95/46/EC when it enters into force on 25 May 2018.