06 June 2018

Who Controls a Facebook Page?

Days after the General Data Protection Regulation (GDPR) has entered into force, data protection and social networks are in the news again: Last Tuesday, the European Court of Justice (ECJ) has decided that the administrator of a Facebook page is jointly responsible, along with Facebook itself, for processing personal data of Facebook users and persons visiting the page hosted on Facebook via web tracking. The court also held that the local German data protection authority is competent to enforce Facebook’s compliance with the European data protection rules, because Facebook has an establishment in Hamburg (Facebook Germany). Moreover, the Court states that this authority would by no means be bound by findings or decisions of data protection authorities in other member states, especially not by the one in Ireland, where Facebook’s European headquarters are located. While the judgment’s tenor uses the generic term social network it is clear that the judgment is specific to Facebook.

There are two caveats to this decision. First, it concerns an administrative order by the local data protection authority from 2011, which was based on the Data Protection Directive (DPD), which in the meantime has been replaced by the GDPR. Second, the judgment deals specifically with the question of (joint) control and the competence of data protection authorities, not the actual legality of the processing of personal data by Facebook.

While the judgement is not set in the context of the GDPR, it also does not refer to it in any way (as opposed to the opinion of the AG). That being said, in terms of competence the GDPR changes a lot. The “one-stop-shop” concept in Art. 56 GDPR provides for a clear primary competence of the data protection authority within the member state of the main establishment of the controller – in the case of Facebook: Ireland. Regarding the cooperation between different data protection authorities the consistency mechanism in Art. 63 ff. GDPR also poses a significant change.

The reasoning of the Court regarding joint control, on the other hand, most likely does still apply under the GDPR, which hasn’t changed much in that respect.

As a starting point it is worthwhile to familiarise oneself with the definition of the controller in Article 2(d) DPD and Art. 4 Nr. 7 GDPR. It reads as follows:

„the natural or legal person […] or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data“

Unfortunately the CJEU did not use this chance to delve into the depths of the definition or take the opportunity to give clear guidance on how to differentiate joint controllers from processors. It did shed some light into the concept of the controller, though.

The Court starts out with the usual emphasis on the high level of protection guaranteed by the DPD, as it relates to fundamental rights and freedoms of natural persons. In this context the Court explicitly mentions privacy, which is somewhat irritating, since this would recall Art. 7 CFREU and the right to private life rather than the more appropriate Art. 8 CFREU right to data protection. Mentioning the Google Spain case (C-131/12) the Court further emphasises that the definition of the controller needs to be interpreted broadly. With what might be interpreted as another swipe at the German implementation of the DPD, which failed to include joint control, the Court highlights that per definition joint control implies several actors. Something that should be clear from the wording of the definition itself.

On this basis, Facebook Inc. and Facebook Ireland are characterised as primary joint controllers for processing the personal data of Facebook users and other persons visiting the websites hosted by Facebook and its entities. When the page administrator creates a page, he/she enters into a contract with Facebook which includes Facebook’s cookie policy. Those cookies, which are stored on the data subjects devices when they visit a page, are where the data processing happens. Facebook processes the data in order to improve its system of advertising, whereas the page administrator  has the option to gain insight from the visitor statistics offered by Facebook and thereby managing the promotion of its activity.

One fairly important point made by the Court is the distinction between being a regular user of the social network and running a page which allows for the placement of cookies, especially for visitors that are not even registered on the network. The former is not a joint controller along with the network operator, the latter is. Even if this distinction works with Facebook (for now), its use for internet infrastructure in general seems questionable. By the same logic even a regular Twitter user would be a joint controller along with Twitter, for allowing the placement of a cookie when someone visits their timeline. If that would be the only criteria for joint controllership, that is.

The Court seems to go further than just relying on cookie(s). It emphasises that during the creation of the page the administrator can set certain, fairly specific parameters regarding the target audience and the objectives of managing and promoting its activities which in turn influence the statistics Facebook provides to the administrator. The fact that these statistics are anonymous is irrelevant, since the page administrator influences the processing by setting the parameters.

This also leads to one of the most significant findings in this case: you don’t necessarily need to have access to the processed data to be a joint controller. This is, at least to most German data protection legal scholars, something fairly new, which might have to do with the somewhat botched definition of the controller in German data protection law.

From overall reasoning one could conclude that to be considered a (minor) joint controller one needs to do more than just enable the data processing (e.g. via the placement of the cookie) and have some say with regards to the actual processing of data, i.e. influencing the parameters of the processing for generating Facebook Insights. But that would be misguided, as the following statement by the Court reveals:

„The fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data.“

This remark seems somewhat out of place, since the Court emphasized the page operator’s ability to set certain parameters for the processing of personal data in order to generate Facebook Insights. This argument on the other hand also seems disconnected from the focus on the enablement of the collection of personal data by means of cookies. The processing of data for Facebook Insights does not require the collection of personal data from visitors of the fan page but happens after the collection happened anyway. Still, going by the wording of the judgment: what matters for joint controllership is the setting of the parameters. The AG argued in his opinion that the initial data collection via the cookie is a necessary step to allow for the processing in order to provide Facebook Insights. In the Court’s decision, however, the matter of data collection is basically absent. One might presume that this conclusion is due to a lack of technical understanding of the various processes involved. Another explanation might be that the Court is trying to bend over backwards just to stay within the definition of the controller, which coincidently has not changed significantly between the DPD and the current GDPR. It stands to reason, as already pointed out by various scholars, that the concepts of the controller and processor are in bad need of an overhaul. This is also somewhat hinted at in the opinion of the AG (para. 64 of the opinion). In any case, it seems somewhat half-hearted to critisise the collection of the personal data by means of cookies and then shift to a byproduct of said collection to determine (joint) control. One could argue that the benefit of using the infrastructure might be enough of an incentive to the operator. However, if mere approval of another controller’s purposes and means would constitute joint control, this would have extremely far-reaching consequences for the notion of controller and in consequence everything that follows from it.

There is another case pending before the CJEU that might bring some clarity here: Fashion ID (C-40/17). This case deals with similar web tracking issues, the difference being that the administrator of a regular website integrated a third-party plugin, a Like Button. Interestingly enough, the AG saw no need to distinguish between both cases (para. 66 ff. of the opinion), while the judgment is silent on this. Since the Like Button also has the Facebook Insights functionality, the Court might just decide the same way. This in turn begs the question: what would be the Court’s decision if Facebook would simply disable the Insight functionality?

On top of all this, the Court points out that the responsibility between joint controllers does not need to be equal. While this may be true inter se it is difficult to imagine how this would relate externally to the data subjects’ rights or to the data protection authorities. A cautious interpretation might be that the Court was merely pointing out that joint controllership needs to be accessed on a processing-by-processing basis. On another note, while Art. 26 GDPR provides for internally assigning duties it does not provide for any benefits towards the data subject or data protection authority. On the contrary, Art. 26 para. 3 GDPR provides that data subjects may exercise their rights with any joint controller. Also this would require joint controllers to recognize that they are joint controllers, something which is not particularly helped by the ambiguity of this decision.


SUGGESTED CITATION  Marosi, Johannes: Who Controls a Facebook Page?, VerfBlog, 2018/6/06, https://verfassungsblog.de/who-controls-a-facebook-page/, DOI: 10.17176/20180607-094351-0.

13 Comments

  1. Baruch Spinelli Thu 7 Jun 2018 at 00:05 - Reply

    The distinction between minor and regular joint controllers does not seem to make a lot of sense here practically since the different levels of responsibility in data protection law are hard to distinguish already. However, it is an interesting decision.

    It would be interesting to read more about constitutional implications for public authorities using social media pages.

    • Johannes Marosi Sun 10 Jun 2018 at 20:26 - Reply

      There really is no distinction. If you look up the joint controller in German commentaries on data protection law it is almost always depicted as control on equal footing. It was merely a way of pointing out that there is no stereotypical scenario of joint control. The distinction, at least from the law, stems from whether someone is classified as a (joint) controller or processor, the fine-tuning is purely contractual.

      As the CJEU only really hinted at Fanpages being in breach of data protection law back when the proceedings began, as of now public authorities are not in definite breach of the GDPR. To be fair, to most interested parties the judgment comes as surprise, the German courts were very clear on the page admin being neither a controller nor anything else.

      And just for amusement: there is at least one German DPA that has a Twitter profile.

  2. Birgit Clark Thu 7 Jun 2018 at 09:58 - Reply

    What would make this case comment even better would be a link to the curia page and citation of the full name/details of the case at the beginning of the article.

  3. Rob Blake Thu 7 Jun 2018 at 10:45 - Reply

    I find this ruling both interesting and a little unclear. What could the German company have done in advance to avoid this issue? For example, on a company website, it is straightforward enough to introduce a ‘cookies policy’ pop-up message to alert visitors to this. How could this have been implemented within a Facebook fan page?