Important clarification has been provided by the Court of Justice of the European Union (CJEU) in relation to the processing of the personal data of Facebook users. It has ruled that a Facebook page administrator is, together with Facebook, the “controller” of the personal data of users who visit its page and is therefore subject to the relative legal obligations. The Court stated this principle in its decision of 5 June 2018 (C-210/16), issued in relation to a dispute between the Independent Data Protection Centre for the Land of Schleswig-Holstein, Germany and a German company operating in the educational sector.
The dispute began in 2011 when the Data Protection Centre issued an order to the German company to deactivate its Facebook page. The Centre had noted that the personal data of users was being processed by means of cookies without users being informed thereof by either Facebook or the company. The company argued that it had not processed any personal data and that Facebook was fully and solely responsible since it had processed data independently of and extraneously to the company. The question of whether a Facebook page administrator can be considered a “data controller” under personal data protection rules, and thus be subject to the consequences deriving therefrom, was then referredby the German Federal Administrative Court to the CJEU.
But who is the “data controller” under the rules applicable ratione temporis to the case referred to the CJEU? The now abrogated “parent” directive (Directive 95/46/EC) defined data controller as the party which determines the purposes and means of processing of personal data (a definition which Regulation (EU) 679/2016, “GDPR” recites essentially unaltered). It was precisely on the basis of the definition of Directive 95/46/EC that the CJEU found that the administrator of the Facebook page is the data controller. The German administrator of the page, just like all those who have a dedicated page on Facebook, is entitled to ask social network sites for the anonymized data of visitors to the page, in order to be able to generate consumption statistics on the basis of views and thus make commercial decisions about events and promotions or simply offer users more targeted information. According to the CJEU, if the administrator of a page is able to determine in the manner described the purposes and means of processing data it may be considered a data controller.
The CJEU ruled, however, that the page administrator and Facebook are jointly controllers of the processing, since it is Facebook which principally determines the purposes and means of processing data on its platform. It also stated that, in the case of joint controllership, responsibility is not automatically divided equally between the joint controllers, but must be decided on a case by case basis. Joint controllership of processing is now regulated by a specific rule of the GDPR (art. 26), which states that joint controllers must, in a transparent manner, determine their respective responsibilities by means of an arrangement between them.
All parties who have a page on Facebook or another social network site and come within the scope of application of data protection rules must therefore assess whether they are processing personal data jointly with the social network site and regulate their relationship with the joint controller, all the more so in the light of the principle established by the CJEU. However, in the face of increasingly common situations such as the one submitted to the Court, in which a small-medium sized economic operator finds itself sharing controllership of the processing of personal data with an over-the-top player, it is difficult to imagine the GDPR rule on joint controllership being applied to the letter. Indeed, it is highly likely that the bargaining power of internet giantsand the serialization of these types of relationships will give rise to non-negotiable “agreements” of joint controllership being imposed by over-the-top players on such operators.