Blog

Are You a Joint Controller with Facebook? The CJEU’s Judgment in Case C-210/16

How many companies maintain business-oriented pages on Facebook?  Millions. In today’s social media driven economy — where individuals digest news, shopping, and friend’s updates all on the same platform — companies are increasingly trying to harness those platforms to drive customers to them.  Even our firm has a Facebook page, a LinkedIn page, and a Twitter account. (Although, admittedly, some of our pages are somewhat out of date, and low on content).

In a post-GDPR era, what does it mean to have a business account on one of these social media platforms?  Who is the “controller” of that data? On June 5, 2018, the Court of Justice of the European Union (“CJEU”), the highest court within the European Union, issued Judgment in Case C-210/16, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (“Wirtschaftsakademie”). (If you can pronounce that, by the way, you get a gold star).

A brief background on this case will help to understand its broader ramifications:  the German Data Protection Authority ordered Wirtschaftsakademie, a German company that provides educational services, to deactivate its Facebook fan page.  With its fan page, Wirtschaftsakademie was able to access anonymous data collected on visitors to the fan page through “Facebook Insights,” a feature offered to the fan page creators.  The German Data Protection Authority found that since neither Facebook nor Wirtschaftsakademie informed visitors to the fan page that Facebook collects personal data via cookies and then processed the data, Wirtschaftsakademie was in violation of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Directive”).  As such, Wirtschaftsakademie, the page administrator, was required to deactivate its account.

Ultimately, the German courts referred a number of questions to the CJEU to address, one of which related to whether the Wirtschaftsakademie and Facebook were joint controllers as it relates to data collected on its fan page.  Specifically, the Court addressed whether relevant German and EU data protection law

“must be interpreted as allowing an entity to be held liable in its capacity as administrator of a fan page on a social network where the rules on the protection of personal data are infringed, because it has chosen to make use of that social network to distribute the information it offers.”

Judgment, ¶ 25.  The Court clearly stated that Facebook is considered a “controller” under the Directive in the collection of personal data on the fan page.  Id., ¶30. Even recognizing that Facebook controlled much of the processing of personal data it received on a fan page, the Court concluded that:

“While the mere fact of making use of a social network such as Facebook does not make a Facebook user a controller jointly responsible for the processing of personal data by that network, it must be stated, on the other hand, that the administrator of a fan page hosted on Facebook, by creating such a page, gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account.”

Judgment, ¶ 35.  Because “the creation of a fan page on Facebook involves the definition of parameters by the administrator, depending inter alia on the target audience and the objectives of managing and promoting its activities,” an administrator “influences” and “contributes to” the data ultimately collected and processed by Facebook and is considered a joint controller.  Id., ¶36, 39.

The Court continued that the Directive does not require joint controllers to both have access to the personal data in its “personal” form.  The fact that an administrator only has access to anonymized data does not diminish its liability for the original collection and processing of the non-anonymized personal data.  Judgment, ¶38.

Now, before you hit the panic button, the Court didcomment that joint responsibility by joint controllers does not mean equal responsibility: “operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.”  Judgment, ¶43.

However, while you don’t need to panic, ignoring the Judgment is not a good idea either.  This Judgment has some potentially large ramifications for businesses and social media platforms, even it is based on the Directive, that was repealed on May 25, 2018 by the GDPR.  First, while the Directive recognized processing data jointly, the GDPR expressly recognizes “Joint Controllers”, defining the term and outlining requirements at Article 26. The main goal of Article 26 is transparency:  providing the data subject with information related to the roles and processing activities of the joint controller — i.e., what the German courts found lacking on the Facebook fan page.

Second, this Judgment will force companies to reassess their relationships with social media platforms — and social media platforms will need to reassess their role within the data transaction.  As joint controllers both entities have significant liability for the other’s actions. Companies will need to assess how much value is received by maintaining a fan page — or similar type of “page” on these platforms, and whether that value outweighs the added responsibility of maintaining the particular type of social media presence.  

Social media platforms, in turn, will need to create mechanisms to provide key information to data subjects so that these individuals understand the collection and processing of personal data.  It is the provision of information to the end user that is ultimately going to help to minimize liability of all parties concerned in these situations.

Social media is here to stay — its power and reach are unmatched– but so is the GDPR.  We are already seeing the CJEU start to peel back the layers within these platforms to provide data subjects with more transparency and control.  In a post-GDPR world, these efforts will continue and we will need to watch to see how companies respond — and those that are proactively incorporating privacy and transparency within their companies will be ahead of the curve.            

* * * * *
Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.