Simonsen Vogt Wiig AS
  July 6, 2018 - Norway

EU Court Imposes Privacy Responsibilities on Facebook Administration

In a recent judgement the Court of Justice of the European Union (CJEU) concluded that an administrator of a Facebook fan page has independent obligations under European data protection law, and will be considered joint controller with Facebook for some processing activities.

The background for the case is a decision by a German data protection authority back in 2011 which held the administrator liable for lacking provision of information regarding the processing of personal data on Facebook. The administrator challenged this point of view, arguing that Facebook should be solely responsible.

In CJEU's ruling, the administrator of the fan page on Facebook was considered as a joint controller with Facebook regarding Facebook's collection and processing of personal data for statistics-generating purposes. The reasoning of the court is that the administrator participates in the determination of the purposes and means of Facebook's processing activities. This is the case even though the administrator itself does not conduct the collection and processing of personal data. 

As a joint controller, an administrator will be liable for not properly informing visitors about the processing activities of the fan page visitors' personal data. According to the court, the administrator should also take other responsibilities as a controller jointly with Facebook, albeit not necessarily "equal responsibility." Facebook's was considered controller for the platform as such, since it collects and processes personal data from fan page users in order to improve its advertising system, including generating statistics. Administrators, on the other hand, target customers by using such statistics. They define the parameters based on their own promotion/targeting objectives and receive corresponding demographic data provided by Facebook. 

Although the judgment is based on Directive 95/46/EC which was repealed by the EU General Data Protection Regulation (GDPR) on the 25th of May 2018, the basis for the finding, namely the notion of controllers, is intended to have the same meaning under GDPR.

What does the judgment mean for businesses?

It is important to note that the case refers to practices back in 2011, and Facebook has developed its services and privacy policy considerable since then. However, the judgment emphasises the need for businesses to evaluate their relationship with service providers/business partners with regard to processing of personal data. In practice, service providers tend to regard themselves as "independent controllers" rather than joint controllers to avoid being exposed to more liabilities. The judgment indicates that a joint controller situation may be inevitable in some cases where the activities of businesses are closely interlinked.

Businesses should therefore carefully assess the roles and responsibility for each processing activity. A joint controller situation will typically only be relevant for specific activities where the parties commonly determine the means and purposes of the processing. Under the GDPR, joint controllers are obliged to have an arrangement, typically in agreements and privacy statements, where they set out their respective responsibilities and the data subjects' rights in a transparent manner. In many cases, such an arrangement would be necessary also for independent controllers. 

Businesses should also note the importance of ensuring transparency regarding the processing of personal data. Controllers must ensure that their customers are able to understand the privacy implications of using their services.. This may require additional effort for joint controllers. Under such joint-controllership, businesses should make sure that they understand how their joint controllers make use of or otherwise handle personal data, since they can be held liable for the other controller's processing activities.

Link to Full Article