June 11, 2018

The defendant, Wirtschaftsakademie Schleswig-Holstein GmbH, provides education and training services via a fan page hosted on Facebook by Facebook Ireland. The claimant, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD), is a German regional data protection authority.

To set up a fan page, the fan page administrator must first register with Facebook. It can then use the Facebook platform to advertise itself to users of the social network and to post information.

Facebook uses “web tracking” software to observe and analyse the behaviour of internet users for commercial and marketing purposes. Facebook applied this software to all visitors of Wirtschaftsakademie’s fan page.

In November 2011, ULD ordered Wirtschaftsakademie to deactivate its Facebook fan page on the ground that neither Wirtschaftsakademie nor Facebook had informed visitors to the fan page that Facebook was collecting their personal data with the aid of cookies and was then processing that data. Wirtschaftsakademie challenged that decision, arguing that it was not responsible for the data processing carried out by Facebook or for the cookies that Facebook had installed.

ULD dismissed Wirtschaftsakademie’s objection, so Wirtschaftsakademie applied to the German courts. The court agreed with Wirtschaftsakademie, finding that the administrator of a Facebook fan page is not a “controller”. ULD appealed and the matter eventually reached the Federal Administrative Court, which asked the CJEU various questions. Most importantly, it has asked whether, under the Data Protection Directive (95/46/EC), data protection authorities can exercise their powers of intervention against a body that is not a “controller” under Article 2(d), but which might nevertheless be held liable in the event of infringement on account of it using a social network, such as Facebook, to promote its business.

It was not disputed that the US Facebook company and, for the EU, its Irish subsidiary Facebook Ireland, were “controllers”, responsible for processing the personal data of Facebook users and visitors to the fan pages hosted on Facebook. Those companies primarily determined the purposes and means of processing that data.

The CJEU found that an administrator, such as Wirtschaftsakademie, must be regarded as a controller jointly responsible with Facebook Ireland for the processing of that data.

An administrator such as Wirtschaftsakademie was involved in determining the purposes and means of processing the personal data of visitors to its fan page, the CJEU said. In particular, Wirtschaftsakademie could ask for demographic data (in anonymised form) on its target audience (including age, sex, relationships and occupations), as well as information on their lifestyle and interests, and geographical data, in order to target its offerings.

The fact that an administrator of a fan page used a Facebook platform to benefit from its services could not exempt it from complying with its obligations on the protection of personal data, the CJEU said.

Further, the CJEU found that ULD was competent, for the purpose of ensuring compliance with German data protection law, to exercise all the powers conferred on it under German law with respect not only to Wirtschaftsakademie but also to Facebook Ireland.

The CJEU found that where an undertaking established outside the EU (e.g. the US Facebook company) has several establishments in different Member States, the supervisory authority of each Member State is entitled to exercise the powers conferred on it by the Directive with respect to an establishment of that undertaking in the territory of that Member State even if, as a result of the division of tasks within the group, that establishment (e.g. Facebook Germany) is responsible solely for the sale of advertising space and other marketing activities in the territory of the Member State concerned, and exclusive responsibility for collecting and processing personal data belongs, for the entire territory of the EU, to an establishment situated in another Member State (e.g. Facebook Ireland).

In addition, where the supervisory authority of a Member State (e.g. ULD) wishes to exercise, with respect to an entity established in that Member State (e.g. Wirtschaftsakademie), the powers of intervention under the Directive on the ground of infringement by a third party responsible for the processing of that data whose seat is in another Member State (e.g. Facebook Ireland), that supervisory authority is competent to assess, independently of the supervisory authority of the other Member State (Ireland), the lawfulness of such data processing. Further, it may exercise its powers of intervention without first calling on the supervisory authority of the other Member State to intervene. (Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (5 June 2018) — to access the judgment in full, go to the curia search form, type in the case number and follow the link).