Who’S Responsible For What Happens On Facebook? Analysis Of A Novel Ecj Opinion
May 22, 2018
Edit
Lorna Woods, Professor of Internet Law, University of Essex
Who is responsible for information protection police line compliance on Facebook fan sites? That number is analysed inward a recent opinion of an ECJ Advocate-General, inward the instance of Wirtschaftsakademie (full title: Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, inward the presence of Facebook Republic of Ireland Ltd, Vertreter des Bundesinteresses beim Bundesverwaltungsgericht).
This instance is i to a greater extent than inward a line of cases dealing specifically amongst the jurisdiction of national information protection supervisory authorities, a line of reasoning which seems to operate separately from the Brussels I Recast Regulation, which concerns jurisdiction of courts over civil as well as commercial disputes. While this is an Advocate-General’s opinion, as well as so non binding on the Court, if followed past times the Court it would consolidates the Court’s prior wide interpretation of the Data Protection Directive. While this powerfulness live the headline, it is worth considering a perchance overlooked chemical ingredient of the data-economy: the role of the content provider inward providing individuals whose information is harvested.
Facts
Wirtschaftsakademie educate a ‘fan page’ on Facebook. The information protection potency inward Schleswig-Holstein sought the deactivation of the fan page on the ground that visitors to the fan page were non warned that their personal information would live collected past times the past times agency of cookies placed on the visitor’s difficult disk. The role of that information collection was twofold: to compile viewing statistics for the administrator of the fan page; as well as to enable Facebook to target advertisements at each visitor past times tracking the visitors’ spider web browsing habits, otherwise known every bit behavioural advertising. Such activity must comply amongst the Data Protection Directive (DPD) (as implemented inward the diverse Member States). While the content attracting visitors was that of Wirtshaftsakademie, it relied on Facebook for information collection as well as analysis. It is hither that a number of preliminary questions arise:
- Who is the controller for the purposes of the information protection regime;
- Which is the applicable national law; and
- The orbit of the national supervisory authority’s regulatory competence?
Opinion
Controller
The referring courtroom had assumed that Wirtschaftsakademie was non a controller every bit it had no influence, inward police line or inward fact, over the way inward which the personal information was processed past times Facebook, as well as the fact that Wirtschaftsakademie had recourse to analytical tools for its ain purposes does non alter this [para 28]. Advocate General Bot, however, disagreed amongst this assessment, argument that Wirtschaftsakademie was a articulation controller for the purposes of the DPD – a possibility for which Article 2(d) DPD makes explicit provision (paras 42, 51, 52]. The Advocate General accepted that piece the scheme was designed past times Facebook as well as then every bit to facilitate a data-driven line of piece of employment organisation model as well as Wirtschaftsakademie was principally a user of the social network [para 53]. The Advocate General highlighted that without the participation of Wirtschaftsakademie the information processing inward honour of the visitors to Wirtschaftsakademie could non occur; as well as he could cease that processing past times closing the relevant fan page down. In sum:
Inasmuch every bit he agrees to the agency as well as purposes of the processing of personal data, every bit predefined past times Facebook, a fan page administrator must live regarded every bit having participated inward the decision of those agency as well as purposes. [para 56]
Advocate General Bot farther suggested that the usage of the diverse filters included inward the analytical tools provided meant that the user had a at nowadays impact on how information was processed past times Facebook. To similar effect, a user tin also seek to attain specific audiences, every bit defined past times the user. As a result, the user has a controlling role inward the acquisition stage of information processing past times Facebook. The Advocate General rejected an formal analysis based on the damage of the contract concluded past times the User as well as Facebook [para 60] as well as the fact that the user may live presented amongst ‘take it or travel out it’ terms, does non conduct on the fact that the user may live a controller.
As a lastly point, the Advocate General referred to the conduct a opportunity of information protection rules beingness circumvented, argument that:
had the Wirtschaftsakademie created a website elsewhere than on Facebook as well as implemented a tool similar to ‘Facebook Insights’ inward gild to compile viewing statistics, it would live regarded every bit the controller of the processing needed to compile those statistics [para 65].
Influenza A virus subtype H5N1 similar approach should live taken inward relation to social media plug ins (such every bit Facebook’s similar button), which permit Facebook to get together information on 3rd political party websites without the end-user’s consent (see Case C-40/17 Fashion ID, pending).
Having recognised that articulation responsibleness was an of import factor inward ensuring the protection of rights, the Advocate General – referring to the approach of the Article 29 Working Party on information protection – clarified that this did non hateful that both parties would receive got equal responsibility, but rather their respective responsibleness would vary depending on their involvement at the diverse stages of processing activities.
Applicable Law
Facebook is established exterior the EU, but it has a number of European Union established subsidiaries: the subsidiary which has responsibleness for information protection is established inward Ireland, piece the other subsidiaries receive got responsibleness for the sale of advertising. This raises a number of questions: tin the German linguistic communication supervisory potency practise its powers as well as if so, against which subsidiary?
Applicable police line is dealt amongst inward Article four DPD, which refers to the competence of the Member State where the controller is established but which also envisages the possibility, inward the instance of a non-EU parent company, of multiple establishments. The number comes downward to the interpretation of the phrase from Art. 4(1)(a), ‘in the context of the activities of an establishment’, which according to Weltimmo cannot live interpreted restrictively [para 87]. The Advocate General determined that in that location were 2 criteria [para 88]:
- An institution inside the relevant Member State; and
- Processing inward connecter amongst that establishment.
Relying on Weltimmo as well as Verein für Konsumenteninformation the Advocate General identified factors – which are based on the full general liberty of institution approach to the interrogation of institution looking for existent activity through stable arrangements – the approach is non formalistic. Facebook Deutschland clearly satisfies these tests.
Referring to Article 29 Working Party Opinion 8/2010, the Advocate General re-iterated that inward relation to the 2d criterion, it is context non location that is important. In Google Spain, the Court of Justice linked the selling of advertising (in Spain) to the processing of information (in the US) to handgrip that the processing was carried out inward the context of the Castilian subsidiary given the economical nexus betwixt the processing as well as the advertising revenue. The line of piece of employment organisation educate for Facebook hither is the same, as well as the fact that in that location is an Irish Gaelic component does non alter the fact that the information processing takes house inward the context of the German linguistic communication subsidiary. The DPD does non innovate a one-stop shop; to the contrary, a deliberate choice was made to permit the application of multiple national legal systems (see Rec xix DPD), as well as this approach is supported past times the judgment inward Verein für Konsumenteninformation inward relation to Amazon. The scheme volition alter amongst the entry into forcefulness of the General Data Protection Regulation (GDPR), but the Advocate General proposed that the Court should non pre-empt the entry into forcefulness of that legislation (due May 2018) inward its interpretation, every bit the cooperation machinery on which it depends is non yet inward house [para 103].
Regulatory Competence
By contrast to Weltimmo, where the supervisory potency was seeking to impose a fine on a society established inward unopen to other Member State, hither the supervisory potency would live imposing German linguistic communication police line on a German linguistic communication company. There is a question, however, every bit to the addressee of whatever enforcement measure. On i interpretation, the German linguistic communication regulator should receive got the ability alone to at nowadays compliance on the society established on its territory, fifty-fifty though that powerfulness non live effective. Alternatively, the DPD could live interpreted as well as then every bit to permit the German linguistic communication regulator to at nowadays compliance from Facebook Ireland. Looking at the key role of controllers, Advocate General Bot suggested that this was the preferred solution. Article 28(1), (3) as well as (6) DPD title the supervisory potency of the Member State inward which the institution of the controller is located, past times contrast to the seat inward Weltimmo, to practise its powers of intervention without beingness required showtime to telephone band on the supervisory potency of the Member State inward which the controller is located to practise its powers.
Comment
The novelty inward this Opinion relates to the showtime interrogation is meaning because the line of piece of employment organisation model espoused past times social media companies depends on the participation of those providing content, who seem at the 2d to convey trivial responsibleness for their actions. The cost paid past times 3rd parties (in damage of data) is facilitated past times them, allowing them to avoid or minimise their line of piece of employment organisation costs. Should in that location live a consistency of enforcement applications against such users, this may gradually receive got an number on the underlying platform’s line of piece of employment organisation model. While it is harder to regulate mice than elephants, at to the lowest degree these mice appear to live clearly inside the geographic jurisdiction of the German linguistic communication regulator – as well as volition stay as well as then fifty-fifty when the GDPR is inward force.
The Advocate General went out of his way to explicate that in that location was no departure betwixt the province of affairs inward number hither as well as that inward the other relevant pending case, Case C-40/17 Fashion ID. This instance concerns the choice past times a website provider to embed 3rd political party code allowing the collection of information inward honour of visitors inward the programming for the website for its ain ends (increased visibility of as well as thus traffic to the website): the code inward interrogation is that underpinning the Facebook ‘like’ button, but would also presumably include similar codes from Twitter or Instagram.
If in that location was whatever uncertainty from cases – for representative Weltimmo – close whether in that location is a one-stop store (ie alone i possible supervisory potency amongst jurisdiction across the EU) inward the Data Protection Directive, the Advocate General expressly refutes this point. In this context, it seems that this instance adds trivial new, rather elaborating points of exceptional based on the precise factual set-up of Facebook operations inward the EU. It seems well-established at nowadays that – at to the lowest degree nether the DPD - clever multinational corporate structures cannot funnel information protection compliance through a chosen national regime.
It may live worth noting also the wide approach of the Advocate General to Google Spain when determining whether processing is inward the context of activities. There the Court observed that:
‘in such circumstances, the activities of the operator of the search engine as well as those of its institution situated inward the Member State concerned are inextricably linked since the activities relating to the advertising infinite constitute the agency of rendering the search engine at number economically profitable as well as that engine is, at the same time, the agency enabling those activities to live performed [Google Spain, para 56]
Here, the Advocate General focussed on the fact that social networks such every bit Facebook generate much of their revenue from advertisements posted on the spider web pages educate as well as accessed past times users as well as that in that location is so an indissoluble link betwixt the 2 activities. Thus it seems that the Google Spain reasoning applies broadly to many gratis services paid for past times user data, fifty-fifty if 3rd parties – for representative those providing the content on the page visited – are involved too.
Of course, the GDPR does innovate a one-stop shop. Arguably so these cases are of before long to live historic involvement only. The GDPR proposes that the regulator inward honour of the controller’s principal European Union institution should receive got Pb responsibleness for regulation, amongst regulators inward honour of other Member States beingness ‘concerned authorities’. There are 2 points to note: first, in that location is a scheme inward house to facilitate the cooperation of the relevant supervisory government Art 60), including possible recourse to a ‘consistency mechanism’ (Art 63 et seq); secondly, the competence of the Pb potency to human activity inward relation to cross-border processing inward Article 66 operates without prejudice to the competence of each national supervisory potency inward its ain territory laid out inward Article 55. The showtime of these 2 points concerns the endeavor to bound regulatory arbitrage as well as a downward spiral of standards inward the GDPR every bit applied as well as the wide approach to establishment. The involvement of the recipient nation inward regulating agency that in that location may live many cases involving ‘concerned authorities’. The precise implications of the 2d betoken are non clear; banker's complaint withal that it seems that the one-stop store every bit regards Facebook would non halt information protection government taking enforcement activity against users such every bit Wirtschaftsakademie.
Photo credit: Deccan Chronicle