Days after the General Data Protection Regulation (GDPR) has entered into force, data protection and social networks are in the news again: Last Tuesday, the European Court of Justice (ECJ) has decided that the administrator of a Facebook page is jointly responsible, along with Facebook itself, for processing personal data of Facebook users and persons visiting the page hosted on Facebook via web tracking. The court also held that the local German data protection authority is competent to enforce Facebook’s compliance with the European data protection rules, because Facebook has an establishment in Hamburg (Facebook Germany). Moreover, the Court states that this authority would by no means be bound by findings or decisions of data protection authorities in other member states, especially not by the one in Ireland, where Facebook’s European headquarters are located. While the judgment’s tenor uses the generic term social network it is clear that the judgment is specific to Facebook.
There are two caveats to this decision. First, it concerns an administrative order by the local data protection authority from 2011, which was based on the Data Protection Directive (DPD), which in the meantime has been replaced by the GDPR. Second, the judgment deals specifically with the question of (joint) control and the competence of data protection authorities, not the actual legality of the processing of personal data by Facebook.
While the judgement is not set in the context of the GDPR, it also does not refer to it in any way (as opposed to the opinion of the AG). That being said, in terms of competence the GDPR changes a lot. The “one-stop-shop” concept in Art. 56 GDPR provides for a clear primary competence of the data protection authority within the member state of the main establishment of the controller – in the case of Facebook: Ireland. Regarding the cooperation between different data protection authorities the consistency mechanism in Art. 63 ff. GDPR also poses a significant change.
The reasoning of the Court regarding joint control, on the other hand, most likely does still apply under the GDPR, which hasn’t changed much in that respect.
As a starting point it is worthwhile to familiarise oneself with the definition of the controller in Article 2(d) DPD and Art. 4 Nr. 7 GDPR. It reads as follows:
„the natural or legal person […] or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data“
Unfortunately the CJEU did not use this chance to delve into the depths of the definition or take the opportunity to give clear guidance on how to differentiate joint controllers from processors. It did shed some light into the concept of the controller, though.
The Court starts out with the usual emphasis on the high level of protection guaranteed by the DPD, as it relates to fundamental rights and freedoms of natural persons. In this context the Court explicitly mentions privacy, which is somewhat irritating, since this would recall Art. 7 CFREU and the right to private life rather than the more appropriate Art. 8 CFREU right to data protection. Mentioning the Google Spain case (C-131/12) the Court further emphasises that the definition of the controller needs to be interpreted broadly. With what might be interpreted as another swipe at the German implementation of the DPD, which failed to include joint control, the Court highlights that per definition joint control implies several actors. Something that should be clear from the wording of the definition itself.
One fairly important point made by the Court is the distinction between being a regular user of the social network and running a page which allows for the placement of cookies, especially for visitors that are not even registered on the network. The former is not a joint controller along with the network operator, the latter is. Even if this distinction works with Facebook (for now), its use for internet infrastructure in general seems questionable. By the same logic even a regular Twitter user would be a joint controller along with Twitter, for allowing the placement of a cookie when someone visits their timeline. If that would be the only criteria for joint controllership, that is.
The Court seems to go further than just relying on cookie(s). It emphasises that during the creation of the page the administrator can set certain, fairly specific parameters regarding the target audience and the objectives of managing and promoting its activities which in turn influence the statistics Facebook provides to the administrator. The fact that these statistics are anonymous is irrelevant, since the page administrator influences the processing by setting the parameters.
This also leads to one of the most significant findings in this case: you don’t necessarily need to have access to the processed data to be a joint controller. This is, at least to most German data protection legal scholars, something fairly new, which might have to do with the somewhat botched definition of the controller in German data protection law.
From overall reasoning one could conclude that to be considered a (minor) joint controller one needs to do more than just enable the data processing (e.g. via the placement of the cookie) and have some say with regards to the actual processing of data, i.e. influencing the parameters of the processing for generating Facebook Insights. But that would be misguided, as the following statement by the Court reveals:
„The fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data.“
This remark seems somewhat out of place, since the Court emphasized the page operator’s ability to set certain parameters for the processing of personal data in order to generate Facebook Insights. This argument on the other hand also seems disconnected from the focus on the enablement of the collection of personal data by means of cookies. The processing of data for Facebook Insights does not require the collection of personal data from visitors of the fan page but happens after the collection happened anyway. Still, going by the wording of the judgment: what matters for joint controllership is the setting of the parameters. The AG argued in his opinion that the initial data collection via the cookie is a necessary step to allow for the processing in order to provide Facebook Insights. In the Court’s decision, however, the matter of data collection is basically absent. One might presume that this conclusion is due to a lack of technical understanding of the various processes involved. Another explanation might be that the Court is trying to bend over backwards just to stay within the definition of the controller, which coincidently has not changed significantly between the DPD and the current GDPR. It stands to reason, as already pointed out by various scholars, that the concepts of the controller and processor are in bad need of an overhaul. This is also somewhat hinted at in the opinion of the AG (para. 64 of the opinion). In any case, it seems somewhat half-hearted to critisise the collection of the personal data by means of cookies and then shift to a byproduct of said collection to determine (joint) control. One could argue that the benefit of using the infrastructure might be enough of an incentive to the operator. However, if mere approval of another controller’s purposes and means would constitute joint control, this would have extremely far-reaching consequences for the notion of controller and in consequence everything that follows from it.
There is another case pending before the CJEU that might bring some clarity here: Fashion ID (C-40/17). This case deals with similar web tracking issues, the difference being that the administrator of a regular website integrated a third-party plugin, a Like Button. Interestingly enough, the AG saw no need to distinguish between both cases (para. 66 ff. of the opinion), while the judgment is silent on this. Since the Like Button also has the Facebook Insights functionality, the Court might just decide the same way. This in turn begs the question: what would be the Court’s decision if Facebook would simply disable the Insight functionality?
On top of all this, the Court points out that the responsibility between joint controllers does not need to be equal. While this may be true inter se it is difficult to imagine how this would relate externally to the data subjects’ rights or to the data protection authorities. A cautious interpretation might be that the Court was merely pointing out that joint controllership needs to be accessed on a processing-by-processing basis. On another note, while Art. 26 GDPR provides for internally assigning duties it does not provide for any benefits towards the data subject or data protection authority. On the contrary, Art. 26 para. 3 GDPR provides that data subjects may exercise their rights with any joint controller. Also this would require joint controllers to recognize that they are joint controllers, something which is not particularly helped by the ambiguity of this decision.