Professor Lorna Woods, University of Essex
Case Summary
The Wirtschaftsakademie, a business using a Facebook fanpage, was ordered by the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD), a German data protection authority, to deactivate their page. The ULD argued that the page failed to warn visitors about potential data collection by Facebook through cookies.
This case highlights the benefits and data implications associated with Facebook fanpages. Page administrators benefit from free, anonymous user statistics through “Facebook Insights,” while Facebook gathers data for targeted advertising. The Wirtschaftsakademie, challenging the ULD’s order, argued they weren’t liable for Facebook’s data processing. The case raised key questions about data responsibility, regulatory authority jurisdiction, and the legality of data processing methods.
Both the Advocate General and the Court of Justice concluded that both the Wirtschaftsakademie and Facebook were data controllers. They determined that Facebook’s operations in Germany allowed ULD to pursue enforcement.
The Court’s Decision
The Court determined that utilizing Facebook to connect with an audience doesn’t automatically make a user responsible for data processing. However, using fanpages, which enable engagement with Facebook and influence data collection, does create a degree of responsibility. While Facebook controls the purpose and method of data processing, the fanpage administrator shares responsibility, especially for non-Facebook users whose data might be processed without explicit consent.
The Court acknowledged the shared responsibility between Facebook and the fanpage administrator isn’t equal and should be evaluated case by case. Although Facebook might hold greater responsibility, the administrator’s role in data collection from non-Facebook users on the fanpage increases their liability.
Regarding jurisdiction, the Court stated that if a non-EU company, like Facebook, operates within a member state, the local supervisory authority can exercise its powers concerning data processing within that state, regardless of the company’s presence in other member states. As Facebook has an office in Germany and processes data there, the ULD was deemed competent to act.
The Court also decided each supervisory authority operates independently when determining the legality of data processing. Cooperation between authorities shouldn’t prioritize one authority’s view over another.
Analysis
This landmark case clarified the authority of supervisory bodies, their right to disagree, and broadened the understanding of “data controller,” significantly impacting data protection practices. The ruling might discourage businesses from utilizing platforms like Facebook if they fear potential liabilities, although the extent of responsibility remains unclear.
Although this case pertained to the Data Protection Directive, its principles apply to the General Data Protection Regulation (GDPR). The GDPR maintains the concept of “controller” and “joint controllers,” solidifying this case’s relevance.
The GDPR introduces the “one-stop shop” mechanism, aiming to streamline interaction between multi-jurisdictional controllers like Facebook and a single lead supervisory authority. However, exceptions exist, allowing other authorities to claim jurisdiction based on individual complaints or if infringements primarily impact local establishments or data subjects.
The GDPR doesn’t explicitly address jurisdiction in cases with joint controllers. The Article 29 Working Party guidelines, adopted by the European Data Protection Board, propose joint controllers designate a main establishment. However, this raises concerns about potential power imbalances between joint controllers, such as Facebook and its users. A designated authority in a different country could disadvantage individuals or small businesses.
This case’s impact extends beyond Facebook fanpages. Similar concerns about data protection arise with tools like “like” buttons and Google Analytics. The judgment raises questions about data responsibility in situations involving user data processing by third-party platforms or services, highlighting the need for further clarification in the evolving landscape of data protection.
Photo credit: 77reviews.com