On June 5, 2018, the European Court of Justice (CJEU), issued its preliminary ruling in C‑210/16, opining on the definition of data controller, applicable national law, and jurisdiction under EU data protection law according to Directive 95/46/EC.
According to the CJEU’s judgement, EU companies that have been advertising through Facebook can be considered data controllers with all the responsibility and liability that comes with that. Although this case was decided under Directive 95/46/EC, it is safe to assume that some interpretations will be applicable under the EU General Data Protection Regulation (GDPR, Regulation EU 2016/679), which replaced the Directive.
Background. The Hamburg DPA (HmbBfDI, Hamburgischen Beauftragten für Datenschutz und Informationsfreiheit) issued an order against an education company (Wirtschaftsakademie Schleswig-Holstein) to deactivate its fan page hosted by Facebook Ireland (the entity that Facebook Inc designated as EU controller of personal data). The company used the fan page to promote its business.
The German DPA alleged that, by failing to inform end users visiting the fan page that their data would be automatically collected by Facebook via cookies installed on their computing equipment, the fan page infringed a variety of provisions of German data protection law implementing Directive 95/46/EC.
The education company argued that it was not a data controller and therefore it was not responsible for the activities carried out by Facebook, including the automatic installation of cookies on end users’ computing equipment. It should not be subject to the exercise of the powers of the German DPA.
To decide the issue, the Bundesverwaltungsgericht (the German Federal Administrative Court) requested a preliminary ruling from the CJEU on the definition of data controller, applicable national law, and jurisdiction under applicable EU data protection law.
The CJEU followed Advocate General Bot’s preliminary opinion issued on October 24, 2017.See here.
The concept of controller is far reaching. According to the judgement, the administrator of a fan page on a social network is responsible – as a controller within the meaning of Article 2(d) of Directive 95/46/EC – for the processing of personal data consisting in the collection by that social network of the data relating to people who visit the fan page.
The Court found that
“The fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data” and that “the concept of ‘controller’ within the meaning [of the relevant provision of the EU Data Protection Directive] encompasses the administrator of a fan page hosted on a social network”.
However, “the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed” according to the relevant circumstances.
The same interpretation seems to be applicable under the GDPR, provided also that this time around Article 26, GDPR, includes the concept of joint controllers: “where two or more controllers jointly determine the purposes” of processing.
National data protection laws are applicable under Directive 95/46/EC. [WARNING: THE FOLLOWING IS NOT APPLICABLE UNDER THE GDPR) The CJEU rejected Facebook’s claim of sole Irish jurisdiction in EU. The CJEU deemed the German supervisory authority entitled to exercise its powers of intervention with a view to stopping the personal data processing at issue according to its own national law. See Articles 4(1)(a) and 28(1), (3) and (6), Directive 95/46.
In this case, Facebook Inc. – established outside the European Union – provides social network services in the territory of the European Union through several establishments and one of those establishments (Facebook Ireland) has been designated by the parent company as the controller of personal data processing in the European Union and the other is responsible for advertising and marketing directed toward German residents (Facebook Germany). The activities of Facebook’s establishment in Germany must be regarded as “inextricably linked to the processing of personal data at issue”, for which Facebook Inc. is jointly responsible with Facebook Ireland.
DPA’s have autonomous powers to intervene under Directive 95/46/EC. The CJEU concluded that Directive 95/46/EC should be interpreted as meaning that “the supervisory authority of the Member State in which the establishment of the controller is located is entitled to exercise its powers of intervention against that controller autonomously and without being required first to call on the supervisory authority of the Member State in which the controller is located to exercise its powers”. Article 28(1), (3) and (6) of Directive 95/46.
GDPR. Under the GDPR this will change due to the one-stop-shop mechanism. This means that a controller that carries out cross-border data processing, such as Facebook, will have only one supervisory authority as interlocutor, namely the lead supervisory authority, which will be the authority for the place where the controller’s main establishment is located.
More on GDPR is available at http://www.technethics.com…
The judgement of the court in Case C-210/16, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd,Vertreter des Bundesinteresses beim Bundesverwaltungsgericht is available at http://curia.europa.eu…
For more information on how the EU data protection regulation may affect your business, contact Francesca Giannoni-Crystal. Thanks to Federica Romanelli.