Facebook Fan Pages Too Eu Information Protection Law: The Implications Of Unabhängiges Landeszentrum Für Datenschutz Schleswig-Holstein V. Wirtschaftsakademie Schleswig-Holstein Gmbh
May 12, 2018
Edit
Professor Lorna Woods, University of Essex
Facts of the Case
Many businesses rely on Facebook to back upward their line of piece of work organization using a Facebook fanpage (which requires a specific registration alongside Facebook) in addition to the Wirtschaftsakademie is 1 such. In this case, it received a observe from the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, a regional data-protection authorization inward Schleswig-Holstein (‘ULD’), to deactivate the fanpage. The ULD argued that the people coming to the page were non warned that their personal information would endure collected yesteryear Facebook yesteryear agency of cookies placed on the visitors’ hard disks.
For the mortal running the fanpage, the wages of using it is the receipt of (anonymous) statistics on site work from Facebook via a tool called ‘Facebook Insights’, a tool which is available gratis of accuse nether the standard, non-negotiable terms of use. For Facebook, it allows the acquisition of information to facilitate profiling for the purposes of delivering targetted adverts. The Wirtschaftsakademie challenged the ULD’s order, disceptation that it was non responsible for the processing of information yesteryear Facebook. Influenza A virus subtype H5N1 number of questions were referred to the Court of Justice on the interpretation of the Data Protection Directive (Directive 95/46, the DPD), focussing on the questions of:
- who was responsible for the information (ie who is a controller);
- which regulatory authorization mightiness select action; in addition to if so,
- whether it would endure constrained yesteryear the opinions every bit to the legality of the processing of other competent supervisory authorities.
The Advocate-General took the view that both the Wirtschaftsakademie in addition to Facebook were controllers and, although Facebook was established inward Ireland, next the approach of the Court to jurisdiction inward here), Facebook’s activities had to endure assessed inward the lite of its activities inward Germany. ULD could thus convey the enforcement action. In a judgment of the fifth June 2018, the Court of Justice came to the same conclusion.
The Judgment
The Court construed the outset 2 questions referred (on Articles 2(d) in addition to 17 DPD) every bit yell for whether the alternative of Facebook every bit a agency of reaching its audience agency that a user so doing is responsible for the information processing. The Court, drawing on the approach inward GoogleSpain in addition to emphasising the aim of the DPD beingness to protect privacy, re-iterated that the concept of “controller” should endure interpreted broadly, particularly every bit the Definition of “controller” foresees the possibility of articulation controllers. Certainly Facebook determines the purposes in addition to agency of processing, thus bringing it inside the important of “controller”. As regards the Wirtschaftakademie, the Court stated that mere work of the network would non brand a user a controller, but that the work of fanpages involves to a greater extent than engagement alongside Facebook, in addition to that engagement influences whose information is collected yesteryear Facebook (on the fanpage). Although the statistics are transmitted to the fanpage administrator inward anonymous form,
“Directive 95/46 does not, where several operators are jointly responsible for the same processing, require each of them to have got access to the personal information concerned” (para 38).
Whilst Facebook mightiness behave the well-nigh responsibleness for processing, the Court also noted that where the fanpage is visited yesteryear those who create non have got a Facebook line of piece of work organization human relationship (and have got thus non signed upward to Facebook’s terms),
“the fan page administrator’s responsibleness for the processing of the personal information of those persons appears to endure fifty-fifty greater, every bit the mere consultation of the habitation page yesteryear visitors automatically starts the processing of their personal data” (para 41).
Concurring alongside the see of the Advocate General, the Court accepted that articulation responsibleness was non the same every bit equal responsibleness – responsibleness should endure assessed on the footing of the illustration inward mitt (para 43). The consequences of this for the supervisory authorization - or the co-controllers - are not, however, drawn out.
The Court grouped questions iii in addition to iv together to ask, where a non-EU companionship had multiple European Union establishments, which regulator(s) would have got the powerfulness to deed (under Article 28(3) DPD). As had been noted inward Weltimmo (Case C-230/14, discussed here), the supervisory authority’s powers are, inward general, limited to its ain territory. Reading Article 28 DPD inward the lite of Article 4(1) DPD, the Court stated that:
“where the national constabulary of the Member State of the supervisory authorization is applicable nether Article 4(1)(a) of the directive because the processing inward inquiry is carried out inward the context of the activities of an institution of the controller inward the territory of that Member State, that supervisory authorization tin exercise all the powers conferred on it yesteryear that constabulary inward observe of that establishment, regardless of whether the controller also has establishments inward other Member States” (para 52).
The inquiry so becomes whether the controller satisfies the double essay inward Article 4(1) – that is, (1) whether the controller has an institution inward the fellow member State inward which the supervisory authorization is based; in addition to (2) whether the processing is carried out ‘in the context of the activities’ of the establishment. Re-iterating Weltimmo, the Court stated that:
“establishment inward the territory of a Member State implies the effective in addition to existent exercise of activity through stable arrangements, in addition to the legal shape of such an establishment, whether precisely a branch or a subsidiary alongside a legal personality, is non the determining factor” (para 54).
Facebook maintains an work inward Federal Republic of Federal Republic of Germany through Facebook Germany; the processing demand non endure yesteryear the controller itself but inward the context of its activities – a phrase non to endure interpreted narrowly (as already established inward Weltimmo in addition to Google Spain). The Court noted that the placing of the cookies in addition to the next analysis of the resulting information was intended to enable Facebook to improve its scheme of advertising yesteryear ameliorate targetting its commercial communications; inward developing this declaration the Court expressly adopted the reasoning of the Advocate General. It concluded that ULD was thus competent to intervene.
The Court farther held, inward dealing alongside questions v in addition to 6, that the determination of lawfulness is for each supervisory authorization to undertake every bit an independent body. The obligation on supervisory government to cooperate alongside 1 around other does non attribute priority to the views of 1 supervisory authorization over another, nor require a supervisory authorization to comply alongside views expressed yesteryear around other (para 69-70).
Comments
This illustration was significant: it determined the powerfulness of the supervisory government in addition to their respective rights to disagree. It also cast the internet widely every bit regards the important of controller, in addition to every bit a termination the personal reach of the DPD, alongside implications for the exercise of tracking in addition to behavioural profiling. It may endure less slow to larn content providers to work these platforms if they come upward alongside a potentially hefty liability price-tag – though every bit noted the extent of differential responsibleness inward this context is non yet known. The ruling made clear that the mere possibility of taking measures against Facebook inward Ireland, or a determination yesteryear the Irish Gaelic supervisory authorization non to institute measures, would non foreclose measures beingness taken against a jointly responsible local controller who administers a Facebook Page. Following the ECJ’s ruling, the High German information protection government have got issued guidance every bit to what users of Facebook fanpages must create to comply alongside the constabulary (see here in addition to here).
Nonetheless, around are questioning the case’s long-term significance. The illustration referred to the DPD; the General Data Protection Regulation (GDPR) is directly inward force. To what extent is this determination so precisely a history lesson? The GDPR did non alone create away alongside concepts used inward the DPD, so insofar every bit the GDPR refers to “controller” it would seem that that term should endure interpreted inward the lite of this case; likewise the GDPR expressly envisages the possibility of articulation controllers.
Perhaps the big alter is the introduction of the one-stop store machinery alongside the GDPR. Although the GDPR full general approach inward Article 55 GDPR to national supervisory jurisdiction is based on Article 28(6) DPD, Article 56 GDPR aims to ensure that a multi-jurisdictional controller deals principally alongside 1 regulator. The one-stop store machinery is not, however, quite every bit elementary every bit that. There are exclusions from in addition to exceptions to this regulation (see Article 55(2) in addition to Article 56(2)), every bit good every bit mechanisms to ensure that the diverse national supervisory government hold broadly inward line alongside 1 another. Thus multiple regulators (from the perspective of service providers such every bit Facebook) stay a possibility. Article 56(2) provides for a supervisory authorization other than the Pb supervisory authorization to seek jurisdiction. The circumstances inward which this could arise are inward relation to complaints made yesteryear individuals to it; or inward relation to possible infringements if they either concern only the local establishment, or substantially touching on information subjects only inward the local Member State. In this context, a supervisory authorization mightiness select the see that a fanpage targets information subjects inward its particular territory.
Whether or non these would touching on Facebook’s powerfulness to handle alongside precisely 1 regulator is 1 inquiry but what has non yet been considered is the impact going forrad on whatsoever co-controller. The GDPR is soundless on how jurisdiction is to endure assigned inward cases where in that location are articulation controllers. The Article 29 Working Party Guidelines, which have got been adopted by the European Data Protection Board (EDPB), propose that the articulation controllers should designate the principal establishment.
Whether this would endure appropriate inward the context of unequal bargaining powerfulness betwixt the articulation controllers – every bit inward the illustration of Facebook in addition to its users – is uncertain. If Facebook designated every bit component of its terms of work that the relevant supervisory authorization were to endure the Irish Gaelic Information Commissioner, this would hateful that the weaker political party could endure dependent patch to regulation from a ‘foreign’ regulator – maybe inward around other language. This may endure to a greater extent than hard for an private or pocket-size line of piece of work organization to handle alongside than for a multinational company. This number has yet to endure direct addressed. In sum, it could endure argued that the movement the GDPR does cypher to take away the exposure to liability which mightiness travel a disincentive to businesses which run into a fanpage every bit a low-cost alternative to travel on to work fanpages (and similar platforms).
We mightiness ask, moreover, is it precisely Facebook fanpages that would endure affected yesteryear thie Court’s reasoning. There is a pending illustration on the installation of similar buttons, which in 1 lawsuit again permit tracking, (see Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV (Case C-40/17)) but nosotros mightiness inquire the inquiry to a greater extent than broadly. What for illustration would endure the seat of Google analytics beingness run on a site? There are many examples where deals betwixt supplier in addition to client include personal information of those engaging alongside the customer, without those persons necessarily beingness aware of it, or having a alternative inward the matter. Influenza A virus subtype H5N1 line of piece of work organization which signs upward to Office 365 may concord to default consents to monitoring of email, diary in addition to contact details of its employees. Would this brand the employer a articulation controller alongside Microsoft? It seems probable that in that location volition endure to a greater extent than cases on this – or similar questions – every bit nosotros movement into GDPR territory.
Photo credit: 77reviews.com