The ban of a German Federal DPA (state of Bavaria) on an online shop for using Facebook Customs Audience has been upheld by the respective Administrative court. In an injunction the Administrative court stated that the decision of the Bavarian DPA is directly enforceable since the public interest to directly enforce the decision of the DPA outweighs the interest of the online shop to continue Customs Audience until the final decision of the court is rendered.[1] The court states that the hash of the e-mail-address which is used by Facebook for matching the database of the online-shop with Facebook users is not anonymised but in contrast personal data. According to German Data Protection Act (BDSG) and Directive 95/46 a data transfer from one controller to another controller is not admissible on basis of legitimate interest but requires a consent of the customer. The decision will be equally applied in GDPR.
1. Facts and procedure
Customs Audience is a product of Facebook where – in the respective case – the online shop processes the e-mail-address of its customers with a hash algorithm. The hash is transferred to Facebook. Facebook matches this hash with the hash of Facebook customers. Where the two hashes match the customer of the online shop is at the same time customer of Facebook. Facebook provides the correspondent customer list to the Facebook account of the online shop. The online shop will choose in which way the audience will be addressed by marketing activities of Facebook. The information that the customer of Facebook is customer of the online shop is added to the account of the customer.
The Bavarian DPA required the online shop to erase the custom audience list under its Facebook account with a decision at 16th January 2018 within two weeks. In addition, the Bavarian DPA provided that this decision is directly enforceable. The online shop refused to follow the request and filed a law suit against the Bavarian DPA. By way of injunction the online shop applied to the respective court to continue with Customs Audience until the final decision of the court is provided. The Administrative Court refused to grant the application of the online shop and upheld the decision of the Bavarian DPA. In a preliminary judgement the court followed the arguments of the DPA. Since the same court will provide the final judgment it will be likely following the preliminary judgement.
2. Legal arguments of the Administrative court
a. Processing of personal data
The court is of the opinion that personal data is processed. The court sees that with the assistance of the e-mail-address an identification of the customer is possible. Since the hash is no anonymised data the court follows the argument ‘e contrario’ that the hash is personal data. Without the matching of the customer in the two data bases, Facebook would not be in the position to identify the relevant customers and add the customers to the Customer Audience list.
Since any disclosure by transmission is a processing of personal data the court interprets the data transfer to Facebook as ‘processing’ according to German data protection law.
b. ‘Data processing on behalf’ or ‘transmission’?
The online shop has formed a contract of data processing on behalf with Facebook for the data matching. The online shop regards Facebook as controller insofar Facebook is processing the personal data after the matching of the hash.
In contrast, the court is of the opinion that the processing of Facebook cannot be split in two parts but must be regarded as one unique process. The court argues that Facebook has room to manoeuvre within this process and is not strictly dependent on the instruction of the online shop. In addition, the court states that the decision, which customer will be addressee of marketing activities lies with Facebook. Therefore, the court does not regard the data procession on behalf as valid legal basis for the transfer of personal data to Facebook since Facebook acts as controller.
According to the Working Paper 169 of WP29 a controller is the enterprise which determines the purpose of the processing. The decision of the ‘means’ may be delegated to the processor. WP29 describes the purpose as the “why“ of the processing activities and the means as the “how” of the processing.[2] In contrast, the Administrative court follows the German tradition interpreting data protection law. The German tradition regards even the means as to be determined by the controller to a large extent.[3] E.g., the outsourcing of a complete business process like the data processing of HR (Human Resources) would not be regarded as admissible on basis of data processing on behalf.[4]
But both interpretations agree that a party which determines the purpose of the data processing is the controller. Since Facebook does process the personal data for its own purpose it determines the “why” of the data processing. Therefore, both interpretations will come to the same conclusion that Facebook is to be regarded as controller.
c. Legitimate interest as legal basis for transmission?
The transmission of personal data from the online shop to Facebook needs a legal basis.
The court is partly arguing on the basis of specific German data protection law concerning marketing[5] and partly arguing on basis of legitimate interest.[6]
It is not necessary to refer to German data protection law which covers marketing in a specific way,[7] since the ECJ stated that legitimate interest according to Article 7 of Directive 95/46 has direct effect, although in principle only regulations and not directives have direct effect.[8] In a following decision the ECJ declared any national law which is more specific than legitimate interest as invalid. This decision rendered specific German law for online business as invalid.[9] In my opinion, the Administrative court contradicts the ECJ insofar the Administrative court argues on basis of specific German law.
Therefore, it is only necessary to prove legitimate interest on basis of the following test:
First, the online shop has a legitimate interest to transfer the personal data to Facebook since marketing is an economic interest, which is seen as legitimate under data protection law.
Second, the data subject has a legitimate interest that his personal data is not being transferred to a third party outside of the controller without his consent. The Right to Data Protection is the right to self-determination on personal information which may be implemented in praxis by asking for the consent of the data subject.
Third the interest of the online shop must be necessary and adequate in the very case in comparison to the interest of the data subject. The relevant criterium is whether any other measure is available for the controller which suits the purpose but infringes the Right to Personal Data less.
In this last respect the court is of the opinion that the online shop may take the less intrusive measure to ask the customer for consent, whether he does agree that his personal data is being transferred to a third party. Therefore, the Administrative court does not estimate legitimate interest a valid legal basis.
d. Are the arguments of the Administrative court convincing?
The main arguments of the court shall be assessed here.
- The online shop and Facebook are processing personal data. The information that a customer of Facebook is at the same time customer of the online shop is being disclosed by the online shop to Facebook and vice versa by Facebook to the online shop. This information belongs to the respective customer and therefore is personal data. The hash does only prevent the disclosure of the identity of customers to Facebook, who are not the same time customer of both parties.
- Facebook is not processing the data on behalf of the online shop. Facebook is not bound to adhere to the instructions of the online shop. E.g. it has discretion which customer will be addressee of marketing activities. Finally, Facebook uses the data for its own purpose, since the information that a Facebook customer is at the same time customer of the online shop is added to the customer profile of the Facebook account. Therefore, Facebook is the controller of the personal data.
- The data processing of Facebook cannot be split in two parts, since Facebook uses the information, that its customer is at the same time customer of the online shop, for Facebooks own purpose.
- The legal basis of the data transmission of the online shop to Facebook cannot be seen in legitimate interest. The customer has formed a contract with the online shop. It has the reasonable expectation that his data is not being shared with other third parties. Therefore, as default a transmission from one controller to another controller requires a consent of the customer. That principle was underlined in a case of the DPA of Hamburg, which stated that the transfer of personal data by WhatsApp to Facebook requires consent.[10]
It follows, that the final decision will likely confirm the summarised judgement – especially, since the final decision will be provided by the same Administrative court.
3. Will the final decision be valid under GDPR?
The upcoming final decision will be valid under GDPR insofar the Administrative court will consequently argue on basis of Directive 95/46, which contains the same principles as GDPR.
That means
- first that the Administrative court has to take into account the Working Paper 169 of WP29 in respect to data processing on behalf and
- second that the Administrative court declares the specific German data protection law of marketing as invalid in respect of Article 7 Directive 95/46.
Otherwise the decision will be likely to face an appeal.
[1] VG Bayreuth, B1 S 18.105, Beschluss v. 08.05.2018, http://www.gesetze-bayern.de/Content/Document/Y-300-Z-BECKRS-B-2018-N-9586
[2] Article 29 Working Party, WP169, Opinion 1/2010 on the concepts of “controller” and “processor”, adopted on 16 February 2010, page 13; http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf
[3] Thomas Mühtlein, RDV (Recht der Datenverarbeitung) 2016, page 74
[4] Thomas Mühtlein, RDV (Recht der Datenverarbeitung) 2016, page 74 (84)
[5] According to § 28 (3) BDSG a.F. (Federal German Data Protection Code, old version)
[6] According to § 28 (1) (no. 2.) BDSG a.F. (Federal German Data Protection Code, old version)
[7] The old version of German data protection code (BDSG, Bundesdatenschutzgesetz) requires as default a consent for marketing according to § 28 (3) BDSG a.F. As exception marketing is admissible without consent insofar a group of people is concerned who share to the same job background – e.g. Attorneys (“Listenprivileg”). On this legal basis a controller could start marketing activities which were directed to its own customers and not to customers of a third party. As stated above since these requirements are more specific than legitimate interest according to Article 7 Directive 95/46, these are invalid on the ground of the effet utile of Article 7.
[8] ECJ, joined cases C‑468/10 and C‑469/10, ASNEF and FECEMD, judgment of 28 September 2010; https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62010CJ0468&from=EN
[9] ECJ, C‑582/14, Breyer, judgment of 19 October 2016; http://curia.europa.eu/juris/document/document.jsf?docid=184668&doclang=EN ;
in addition see my respective article: Thomas Kahler, DPOblog.eu, ‘Do not track’ without consent – state German regulators
[10] see pressrelease Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, https://datenschutz-hamburg.de/pressemitteilungen/2018/03/2018-03-02-oberverwaltungsgericht-best%C3%A4tigt-verbot-des-datenaustauschs-zwischen-whatsapp-und-facebook