Case Law, Luxembourg, Facebook

“Fan Page” case, administrator held to

be data controller and jurisdictional
issues clarified
In an important decision the CJEU has found that the administrator of a Facebook ‘fan page’
was a joint data controller with Facebook Ireland and Facebook Inc, and that a German data
protection supervisory authority is competent to assess the lawfulness of data processing
carried out by Facebook Germany, applying German data protection law.

The decision in “Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v

Wirtschaftsakademie Schleswig-Holstein” is likely to have significant implications for
Facebook and for those who are using social media sites for certain purposes that go beyond
merely personal ones. It may lead to further attempts to sue Facebook UK Limited in this
jurisdiction.

Background

This case concerns the liability of administrators of a Facebook ‘fan page’ under German data
protection laws. Fan pages are user accounts that can be set up on Facebook by individuals
or businesses. Administrators of fan pages can obtain anonymous statistical information on
visitors to the fan pages via a function called ‘Facebook Insights’ which Facebook makes
available to them free of charge under non-negotiable conditions of use. That information is
collected by means of evidence files (‘cookies’) which are active for two years and are stored
by Facebook on the hard disk of the computer or on other media of visitors to fan pages.

In November 2011, the supervising data protection authority for Schleswig-Holstein (one of
Germany’s “länder” or provinces), the Unabhängiges Landeszentrum für Datenschutz
Schleswig-Holstein, “ULD”, ordered Wirtschaftsakademie Schleswig-Holstein GmbH, a private
education company, to deactivate a fan page it had set up on Facebook on the grounds that
it was collecting cookies from visitors to the fan page and neither the education company nor
Facebook Ireland had informed users that their personal data would be processed in this way.

The education company complained about the decision arguing that it was not responsible
for processing the personal data or for the cookies which Facebook installed. The ULD
dismissed the complaint stating (according to the CJEU decision) that the education company
“had made an active and deliberate contribution to the collection by Facebook of personal
data relating to visitors to the fan page, from which it profited by means of the statistics
provided to it by Facebook”.
The German company appealed and case proceeded through the German courts, with the
courts finding against the ULD and holding that an administrator of a fan page on Facebook
was not a data controller. The case reached the Federal Administrative Court which made a
reference to the CJEU for a preliminary ruling on a series of questions. The first two questions
were premised on the assumption that the administrator of a fan page on Facebook was not
a data controller. The remaining questions related to the issue of jurisdiction and whether the
ULD could take steps against Facebook Germany and require it to implementing measures
and orders implementing data protection legislation, when Facebook Germany’s sole function
was to promote the sale of advertising space on Facebook and it did not process personal
data; or whether such steps need to be taken in or involving Ireland, as Facebook Ireland was
the entity in a Member State that was responsible for processing the personal data.

Judgment

In a judgment that is reminiscent of the ‘Google Spain’ decision, the CJEU again adopted a
broad interpretation of Directive 95/46, consistent with its aim of ensuring “a high level of
protection of the fundamental rights and freedoms of natural persons, in particular their right
to privacy, with respect to the processing of personal data”. There were two broad topics
dealt with which I have considered in turn below.

Data Controllers

Firstly the issue of ‘data controllers’. The CJEU disagreed with the premise of the initial
questions, holding that the education company was a data controller along with Facebook
Ireland and that this was the case even though it didn’t have access to the personal data
concerned.

The Court’s rationale was that the aim of Directive 95/46 was “effective and complete
protection of the persons concerned” ( citing Google Spain, C-131/12, EU:C:2014:317) and
that the concept of a “controller” does not necessarily refer to a single entity and may concern
“several actors taking part in that processing, with each of them then being subject to the
applicable data protection provisions”.

In the present case the processing of the personal data was to enable Facebook to improve
its system of advertising and to enable the fan page administrator to obtain statistics
produced by Facebook from the visits to the page, for the purposes of managing the
promotion of its activity. For example the fan page administrator would be made aware of the
profile of the visitors who like its fan page or use its applications, so that it could offer them
more relevant content and develop functionalities likely to be of more interest to
them. ‘Facebook’ here refers to both Facebook Inc and Facebook Ireland who are joint data
controllers – a matter that the CJEU stated was not challenged.

Unlike an ordinary Facebook user with an ordinary account, the administrator of a fan page
created a page that gave Facebook the opportunity to place cookies on the computers or other
devices of a persona visiting its fan page, whether or not that person had a Facebook account.
Accordingly, the Court found that administrator’s acts in setting up the fan page had an
influence on the processing and contributed to the processing of the personal data of visitors
to its page:

“…the creation of a fan page on Facebook involves the definition of parameters by the
administrator, depending inter alia on the target audience and the objectives of managing
and promoting its activities, which has an influence on the processing of personal data for
the purpose of producing statistics based on visits to the fan page. The administrator may,
with the help of filters made available by Facebook, define the criteria in accordance with
which the statistics are to be drawn up and even designate the categories of persons whose
personal data is to be made use of by Facebook. Consequently, the administrator of a fan
page hosted on Facebook contributes to the processing of the personal data of visitors to its
page.”

It relied on the fact that administrators could ask for – and request the processing of –
demographic data such as trends in terms of age, sex and occupation.

The fact that the administrator did not have access to the personal data concerned but only
anonymised data was not relevant as:

“Directive 95/46 does not, where several operators are jointly responsible for the same
processing, require each of them to have access to the personal data concerned.”

The fact that the administrator, Facebook Inc and Facebook Ireland were joint data controllers
did not necessarily imply equal responsibility – the levels of responsibility of each of them
must be assessed with regard to all the relevant circumstances of the particular case. The
Court noted that the fan page could be visited by non-Facebook users and held that the fan
page administrator’s responsibility for the processing of the personal data of such persons
“appears to be even greater, as the mere consultation of the home page by visitors
automatically starts the processing of their personal data.”

Jurisdiction

The ULD was entitled to exercise its powers in respect to Facebook Germany as the two
conditions set out in Article 4(1) of Directive 95/46 were satisfied.

The first condition is that the controller responsible for the processing of the personal data
must have an establishment in the Members State of the supervisory authority. This implies
the “effective and real exercise of activity through stable arrangements” and the legal form of
the establishment is not the determining factor [54]. In the current case, Facebook Inc., as
controller jointly responsible with Facebook Ireland for processing personal data, has a
permanent establishment in Germany, namely Facebook Germany, Facebook Germany
effectively and genuinely exercises activities in that Member State.

The second condition is that the processing of personal data must be carried out ‘in the
context of the activities’ of the establishment in question. The Court held that this cannot be
interpreted restrictively in view of the objective pursued by Directive 95/46 of ensuring
effective and complete protection of the fundamental rights and freedoms of natural persons,
and in particular their right to privacy with respect to the processing of personal data. The
processing is not required to be carried out “by” the establishment but only “in the context of
the activities of” the establishment. The activities of Facebook Germany in promoting and
selling advertising space is are inextricable linked to the processing of the personal data by
Facebook Inc and Facebook Ireland, which in the present case related to the installation of
cookies to enable Facebook to improve its system of advertising.

Finally the CJEU held that the ULD did not need to call upon its equivalent Irish data protection
supervisory authority to intervene before reaching or in order to reach a decision. While the
second sub-paragraph of Article 28(6) of Directive 95/46 provided for cooperation, it did not
lay down any criterion of priority governing the intervention of one supervisory authority as
against another, nor does it lay down an obligation to comply with positions that may have
been expressed by the supervisory authority of another Member State. Accordingly, a
supervisory authority which is competent under its national law is not obliged to adopt the
conclusion reached by a supervisory authority in another Member State in an analogous
situation.

Comment

This is an important judgment with potentially wide ramifications. The decision on jurisdiction
follows the path established in the Google Spain case under the 1995 Directive. Global
companies with presence in many Member States cannot evade jurisdiction of such Member
States by carrying out all the data processing in only one of them; the test is whether the
processing is being carried out ‘in the context of’ the activities of the establishment in each
Member State. While the decision related to whether a supervisory authority had power over
Facebook Germany, it may well have broader consequences. Assuming the position of
Facebook UK is the same as Facebook Germany, there would be a good case for arguing that
data protection proceedings could be brought against it in this jurisdiction. This is contrary
to the position as it had previously been thought to be.

This decision, reached by reference to Recital 19 of Directive 95/46, is likely to remain

unchanged as Recital 22 of the GDPR is in very similar terms in respect of this issue. Recital
22 provides:

“Any processing of personal data in the context of the activities of an establishment of a

controller or a processor in the Union should be carried out in accordance with this Regulation,
regardless of whether the processing itself takes place within the Union. Establishment implies
the effective and real exercise of activity through stable arrangements. The legal form of such
arrangements, whether through a branch or a subsidiary with a legal personality, is not the
determining factor in that respect”.

Not only this, but the territorial scope under the GDPR is expressly wider and it applies in
certain situations “regardless of whether the processing itself takes place within the Union ”
(see, for example, Recital 22 above and Article 3(1)). This is in recognition of the increasing
global manner in which goods and services are offered via the internet and designed to meet
the aim of the GDPR in protecting data subjects (see for example, Recital 23 ).

The broad view on jurisdiction in the judgment is accompanied by a wide definition of data
controller. Some might find it startling that a data controller can be a person who do not even
have access to the personal data in issue, or that the education company could be said – in
reality – to be ‘determining the purposes and means of processing the data’ . While the CJEU
made it clear that merely using social media sites such as Facebook would not make an
ordinary Facebook user a joint data controller (see [35]), this will not be of comfort to the
administrators of Facebook ‘fan pages’ and others in similar position who, as a result of this
decision, should have been complying with the data protection principles under the old
regime. Nor can such people rely on the fact that this was a decision under Directive 95/46
and not the GDPR, as the definition of ‘controller’ under Article 4(7) of the GDPR is materially
the same as Article 2(1)(d) of the Directive – and there is no reference in either to the controller
needing to have access to personal data. If the position is the same under the GDPR, such
controllers are “responsible for and must demonstrate compliance with” the data protection
principles set out in Article 5(1)(a) to (f) GDPR: the net of those caught by the administrative
burden of GDPR compliance continues to grow.