The ECJ decided that the administrator of a fan page on Facebook is responsible for the respective data processing.[1] The administrator is ´joint controller’ together with Facebook. That means administrators cannot close its eyes whether Facebook is infringing GDPR. In addition, administrators are jointly liable for data breaches of Facebook.
- Facts and procedure
The ULD, which is a DPA (Data Protection Agency) of a German state (Schleswig Holstein), provided an order against Wirtschaftsakademie – a private training provider – to close its fan page on Facebook. The case went through the whole proceeding of Administrative Courts in Germany. All three courts decided against the ULD. Eventually, the highest Administrative Court (Bundesverwaltungsgericht) asked the ECJ to provide a preliminary decision, whether Wirtschaftsakademie is responsible for the data processing on the fan page. The ECJ decided that Wirtschaftsakademie is responsible for the data processing as joint controller. Since the decision was related to Directive 95/46, it applies at the same time for GDPR, which contains the same principles for joint controller.[2]
- The decision of ECJ
The ECJ states that Wirtschaftsakademie, as administrator, provides Facebook the opportunity to place a permanent cookie with a unique identifier on the device of the visitor of the fan page. This mechanism applies of all visitor, regardless of the fact whether or not visitors have a facebook account.
While opening a fan page the administrator defines parameter, depending on criteria such as the target audience and the aims of its activities.
“Consequently, the administrator of a fan page hosted on Facebook contributes to the processing of the personal data of visitors to its page.”[3]
The ECJ sees that Wirschaftsakedemie only receives anonymised data from Facebook and has no access to the personal data processed by Facebook. But it states: “In any event, Directive 95/46 does not, where several operators are jointly responsible for the same processing, require each of them to have access to the personal data concerned.”
Joint controllers may hold different degrees of responsibility for the data processing. But each controller has to be involved in the essential stages of the processing.[4]
- Joint liability of fan pages with Facebook
The biggest risk for administrators of fan pages derives from the liability of joint controllers according to GDPR:
“Where controllers or processors are involved in the same processing, each controller or processor should be held liable for the entire damage.”[5]
The administrator may be held liable for the entire damages which is caused by Facebook. When the data subject did receive full compensation, the administrator can seek internal compensation against Facebook. Its liability may be apportioned according to the responsibility of each of the controller.
- Fan pages bearing risk to be fined
In the discussed case the administrator of the fan page tried to exclude its own responsibility, while Facebooks was infringing data protection law.[6] With the decision of the ECJ on joint controllership the case will move back to the Administrative court to decide about the consequences.
The key question is, whether one controller may exclude its own responsibility, in case the first controller has knowledge of the incompliance of the second controller.
To evaluate the role of joint controller requires a look at the role of a ‘single’ controller. The controller determines the purposes and means of the processing of personal data according to Article 4 (7) GDPR.
The controller
- is responsible for the data processing,[7]
- has to demonstrate its compliance with GDPR,[8]
- needs a legal basis for the processing,[9]
- will be the addressee of the rights of data subject.[10]
In contrast the processor carries out the processing on behalf of the controller,[11] is bound by the contract with the controller[12] and has to adhere to the instructions of the controller.[13] Insofar the processor determines the purposes and means of the processing and acts in contradiction to his role, he will be transformed to a controller.[14] This indicates that the processor has minor responsibility in comparison to the controller.
Joint controller shall define its responsibility in an arrangement. They are not necessarily sharing the same responsibility. That derives form Article 26 (1) GDPR and at the same time from the decision of the ECJ. The essence of the arrangement has to be published to the data subject.
Within their defined responsibility joint controllers
- are responsible for the data processing
- need a legal basis for the processing.
For the selection of a joint controller an analogy to the selection of the processor is advisable since the controller relies on the processor to be compliant. A controller may choose only another joint controller which provides sufficient guarantees to be compliant with GDPR.[15] In addition, the joint controllers have to demonstrate its compliance to each other – similar to the obligation of a processor according to Article 28 (3) (h) GDPR.[16]
Several controllers may participate in a process with other controllers without being joint controller. E.g. a travel agency sends personal data to an airline and a chain of hotels for the reservation of a travel package.[17]
In contrast, joint controllers have a complete responsibility against the data subject. Irrespective of a different internal responsibility to each other the data subject can execute his rights against any controller of the joint controllership according to Article 26 (3) GDPR. That is the similar concept as of liability.
In the relation between controller and processor, GDPR does not allow a lack of responsibility. This principle applies at the same time for joint controllership.[18]
If one controller would be able to point to the other controller to exclude its own responsibility, there would be no difference between joint controllership and a situation where several controllers separately contribute to a processing without being joint controllers.
Therefore, a controller within joint controllership shall not be able to exclude its own responsibility in case it has knowledge that the other controller infringes data protection law.
Since administrators of fan pages are not compliant with data protection law, its bearing the risk to be fined.
- Conclusion
Administrators of fan pages
- are in breach of data protection law,
- face the risk to be fined and
- bear the risk to be held liable for a data breach of Facebook,
unless Facebook can demonstrate its compliance.[19]
[1] ECJ, C‑210/16, jugdment of 5 June 2018, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein; http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d0f130da728d5356b24640cdb2d2cb52e58f0d45.e34KaxiLc3eQc40LaxqMbN4Pb3iSe0?text=&docid=202543&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=211016
[2] Marosi, Johannes: Who Controls a Facebook Page?, VerfBlog, 2018/6/06; https://verfassungsblog.de/who-controls-a-facebook-page/
[3] ECJ, C‑210/16, jugdment of 5 June 2018, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, paragraph 39; http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d0f130da728d5356b24640cdb2d2cb52e58f0d45.e34KaxiLc3eQc40LaxqMbN4Pb3iSe0?text=&docid=202543&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=211016
[4] ECJ, C‑210/16, jugdment of 5 June 2018, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, paragraph 43; http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d0f130da728d5356b24640cdb2d2cb52e58f0d45.e34KaxiLc3eQc40LaxqMbN4Pb3iSe0?text=&docid=202543&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=211016
[5] Recital 146 GDPR.
[6] Based on the facts provided by the highest Administrative Court (Bundesverwaltungsgericht), that Facebook was installing a permanent cookie with a unique identifier on the device of the visitor of the fan page.
[7] According to Article 24 (1) GDPR.
[8] According to Article 24 (1) GDPR; see the respective article on DPOblog, “Accountability – the gravity centre of GDPR”, https://dpoblog.eu/accountability-the-gravity-centre-of-gdpr
[9] According to Article 5 (1), Article 6 (1) GDPR.
[10] Inter alia according to Article 13, Article 15 GDPR.
[11] According to Article 4 (8) GDPR.
[12] According to Article 28 (1) GDPR.
[13] According to Article 28 (3) (a) GDPR.
[14] According to Article 28 (10) GDPR; see e.g. the SWIFT case, were SWIFT performing transactions for banks was seen as controller: Article 29 Working Party, Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’, WP 169, page 9; http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf
[15] According to Recital 81 GDPR.
[16] See the respective article on DPOblog, “Accountability – the gravity centre of GDPR”, https://dpoblog.eu/accountability-the-gravity-centre-of-gdpr
[17] See as example no. 7 in Article 29 Working Party, Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’, WP 169, page 24; http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf
[18] In respect of Directive 95/46 see Article 29 Working Party, Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’, WP 169, page 24; http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf
[19] According to the accountability principle Article 5 (2) GDPR, see the respective article on DPOblog, “Accountability – the gravity centre of GDPR”, https://dpoblog.eu/accountability-the-gravity-centre-of-gdpr