Administrators of Facebook Pages are controllers under EU Data Protection Law
Der Bayerische Landesbeauftragte
für den Datenschutz
EU Court of Justice confirms the position of Schleswig-Holstein data protection authority: Administrators of Facebook Pages are jointly responsible for data processing operations of Facebook
Today the EU Court of Justice (ECJ) ruled that the administrator of a Facebook Page (known as Fa-cebook Fanpages in Germany) is – jointly with Facebook – responsible under EU data protection law for the processing of personal data of Facebook Page visitors in order to compile usage statistics.
The case originated in proceedings before German administrative courts in 2011 between Wirt-schaftsakademie Schleswig-Holstein GmbH and Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD). Wirtschaftsakademie argued that it could administer a Facebook Page without ensuring that Facebook complies with data protection obligations. The ECJ clarified that this view is incompatible with EU data protection law: The fact that an administrator of a Facebook Page uses the platform provided by Facebook in order to make use of its services cannot exempt them from their responsibility for the protection of personal data, the EU court said (para. 40).
Controller is who determines the purposes and means of the processing of personal data. The ECJ held that the concept of controllership has to be interpreted broadly in order to ensure effective and comprehensive protection of data subjects. The Facebook Page administrator is participating in the decision on the purposes and means of processing the personal data of Facebook page visitors. The Facebook Page administrator designs their information and communication offer and thereby contributes to the processing of personal data of Facebook Page visitors. As Facebook also determines purposes and means of the processing, Facebook and the Facebook Page administrator are responsible jointly under data protection law.
The ECJ states that Facebook Page administrators are not a regular Facebook user and by using a Facebook Page, gives Facebook the opportunity to place cookies. As joint controller the Facebook Page administrator profits especially from the use of filters and criteria provided by Facebook in order to gather statistical insights. According to the ECJ with regard to the responsibilities of con-trollers it is irrelevant whether the Facebook Page administrator has access to the personal data processed by Facebook.
The ECJ further confirms that ULD can take measures as supervisory authority against controllers in Schleswig-Holstein, which administer Facebook Pages. The mere possibility to take measures against Facebook in Ireland does not prevent measures against a jointly responsible local controller who administer a Facebook Page.
The Data Protection Commissioner of Schleswig-Holstein, Marit Hansen, welcomed the judgment of the ECJ: “The judgment confirms my view that there must not be gaps in responsibility under data protection law. This means specifically that all administrators of Facebook Pages have to ensure that they and Facebook conform to their respective obligations under data protection law. It must be clear who carries out these obligations vis-à-vis Facebook Page visitors. This is particularly important with regard to the information obligations: transparency is required for the processing of data concerning all users – whether they are member of Facebook or non-members. Any data subject can exercise the data subject rights, for instance the right to access or rectification, and demand that both, Facebook and the Facebook administrator conform to these.
Hansen further stresses that it will be necessary in the future to refer questions on the interpretation of the General Data Protection Regulation to the ECJ in the early stages of court proceedings: “Swift adjudication is paramount for legal certainty. Legal proceedings on these essential concepts of data protection law must be fast tracked. Some instances of abuse of personal data, such as Cambridge Analytica, could perhaps have been avoided if all German or, better yet, all European Facebook Page administrators had ensured compliance with EU data protection law in 2011.”
For further information please contact:
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
Holstenstr. 98, 24103 Kiel, Germany
Phone: +49 431 988-1200; Fax: -1223