In a ruling delivered on Tuesday 5 June (C-210/16), the European Court of Justice held that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data of visitors to the page.
The German company Wirtschaftsakademie based in Schleswig-Holstein provides anonymous statistical data on visitors to the fan pages via a function called Facebook Insights which Facebook makes available to them free of charge. The data is collected by means of evidence files (‘cookies’).
In November 2011, as supervisory authority within the meaning of Directive 95/46, the regional data protection centre ordered Wirtschaftsakademie to deactivate its fan page. The reason for this decision is that neither Wirtschaftsakademie nor Facebook informed visitors to the fan page that Facebook, by means of cookies, collected personal data concerning them and their processed the data.
Wirtschaftsakademie submitted an appeal at the German courts. It argued that the regional data protection authority should have acted directly and exclusively against Facebook.
Requested by the Federal Administrative Court in Germany to interpret the case, the Court of Justice found in favour of the regional German authority against Wirtschaftsakademie, in compliance with the conclusions of the Advocate General (see EUROPE 11890).
In its decision, the Court of Justice starts by observing that it is not disputed in the present case that the Irish subsidiary of Facebook, Facebook Ireland, must be regarded as the ‘controllers’ responsible for processing the personal data of the visitors to the fan pages hosted on Facebook.
Next, the Court finds that an administrator such as Wirtschaftsakademie must be regarded as a controller jointly responsible, within the EU, with Facebook Ireland for the processing of that data. The Court holds that the German company takes part in the determination of the purposes and means of processing the personal data of the visitors to its fan page.
Wirtschaftsakademie can ask for demographic data (in anonymised form) – and thereby request the processing of that data (in terms of age, sex, relationships and occupations), information on the lifestyles and centres of interests of the target audience, including online purchasing habits and geographical data, telling the fan page administrator where to make special offers.
Finally, according to the Court, the fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data.
It should also be pointed out that the Court finds that the regional data protection authority of Schleswig-Holstein is competent for exercising all the powers conferred upon it under Directive 95/46 with regard to Facebook Germany located in Germany even though, under the terms of the distribution of missions within the social network, Facebook Germany is only responsible for the sale of advertising space in Germany and that the exclusive responsibility of the collection and processing of personal data in the whole of the EU belongs to Facebook Ireland. (Original version in French by Mathieu Bion)