By Susan Wolf
In our previous blog we considered the recent, and much awaited, decision of the Court of Justice of the European Union (CJEU) on the status of Facebook fan page users [1]. After protracted litigation in the German Courts, the CJEU ruled on June 5th 2018, that the concept of data controller was wide enough to include a user of a fan page hosted on a social network (in this case Facebook).
WirtschaftsakademieSchleswig-Holstein GmbH (a private training academy) operated a Facebook fan page, which it used to promote its activities. Facebook provided Wirtschaftsakademie with anonymsied statistical data about people who visited the fan pages. The German Data Protection authority for Schleswig-Holstein ordered Wirtschaftsakademie to deactivate the page or risk a fine. This is because visitors to the fan page were not warned that their personal data was being being collected by Facebook, by means of cookies that were placed on the visitor’s hard disk. The purpose of that data collection was to compile viewing statistics for the Wirtschaftsakademieand to enable Facebook to publish targeted advertisements.
Technically the Court’s jurisdiction is limited to providing authoritative rulings on the interpretation of EU law and not determining the outcome of a case. However, in this case the Court made it very clear that, Wirtschaftsakademie was a data controller responsible for processing personal data, jointly with Facebook Ireland. However, the ruling has much wider implications and could affect all organisations that use Facebook fan pages, or other similar online social media.
Joint Data Controllers Must have an Agreement that sets out respective responsibilities under the GDPR
The fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services does not mean it escapes any of the obligations concerning the protection of personal data. In short, as a joint data controller, the fan page user must comply with the GDPR. Similarly the fact that the fan page user acts as a joint controller, in that it decides to use Facebook as its platform, does not relieve Facebook of its obligations as controller either. They are joint data controllers; a concept specifically acknowledged by Article 26 of the GDPR, which states.
“Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall, in a transparent manner determine their respective responsibilities for compliance with the obligations under [the GDPR] in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless….The arrangement may designate a contact point for data subjects.”
Joint controllers must enter into a specific agreement, or contract, that sets out their respective responsibilities under the GDPR.
Joint Controller does not necessarily mean ‘equal controller’
The fact that two entities are joint controllers does not mean that they are ‘equals’. The CJEU acknowledges that the existence of joint responsibility, with an online social network, such as Facebook does not necessarily imply equal responsibility.
Depending on the circumstances, different operators may be involved at different stages of that processing, and also to different degrees. So for example, it is not necessary for a data controller to have complete control over all aspects of data processing. Indeed data processing today is becoming much more complex and may involve several distinct processes that involve numerous parties, each exercising different degrees of control. With such complexity it is even more important that roles and responsibilities are clearly defined and easily allocated. However Article 26 GDPR also requires that the ‘allocation’ of responsibilities must be transparent. The Article 29 Working Party 2010 Opinion on Data Controllers [2] (Now the European Data Protection Board) emphasises that the complexities of joint control arrangements must not result in an unworkable distribution of responsibilities that will make it more difficult for data subjects to enforce their rights.
On 15th June Facebook issued a statement for users of Facebook fan pages. This also acknowledges that ‘it does not make sense to impose an equal footing on page operators for the data processing carried out by Facebook’. Accordingly Facebook has indicated that it will update its own terms and conditions to clarify the respective data protection responsibilities of Facebook and Fan Page site users. (The statement does not expressly refer to the GDPR). However, at the time of writing this blog nothing further has been issued.
A note of caution: Liabilities
The terms of any joint controller agreement will be very important because of the provisions of Article 82 (4). This states that where more than one data controllers are involved in the ‘same processing’ and where they are responsible for any damage caused by processing, each controller shall be held liable for the entire damage. This is to ensure the effective compensation of data subjects who suffer any ‘material or non material’ damage as a result of any breach of the GDPR. However, GDPR Recital 146 states that where both controllers are joined in the same legal proceedings, compensation may be apportioned according to the responsibility of each controller. (Subject to the caveat that the data subject who has suffered any damage is compensated in full). Therefore an agreement that specifically allocates responsibilities, and liabilities, should be regarded as essential.
What steps should Fan Page users be taking now?
Until Facebook clarifies its position on joint controller agreement, it might be prudent for anyone thinking of opening a Facebook fan page, to defer from doing so.
However, existing fan page users do need to take steps to become GDPR compliant.
The Information Commissioner’s Office has not, as yet, issued any guidance to fan page users. However, the German Data Protection Authorities have issued a statement advising Facebook fan page users/operators that they must comply with the applicable provisions of the GDPR and specifically the following obligations:
- The operator must provide information on processing activities by Facebook and by the operator itself transparently and in an understandable form.
- The operator must ensure that Facebook provides the relevant information to enable the operator to fulfil its information obligations.
- The operator must obtain opt-in consent for tracking visitors to a fan page (e.g., by using cookies or similar technologies).
- The operator must enter into a co-controller agreement with Facebook.
Perhaps a more pragmatic solution is for fan page users to consider what steps an organisation would need to take, as data controller, if they had created their own website (other than via Facebook) and embedded cookies and implemented a tool similar to the Facebook Insights tool, in order to compile viewing statistics.
[1] Case C210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v
Wirtschaftsakademie Schleswig-Holstein GmbH
[2] Article 29 Data Protection Working Party, Opinion 1/2010 on the concepts of “controller” and “processor”
Act Now provides a full GDPR Course programme including one day workshops, elearning, Healthchecks and our GDPR Practitioner Certificate.
Book now to avoid disappointment!