On 5 June 2018, the Court of Justice of the European Union (CJEU) decided that an administrator of a Facebook fan page will be considered a so-called data controller, jointly with Facebook. This means that the creator of a Facebook page for marketing purposes, becomes responsible for complying with the Personal Data Act (including GDPR) in its processing of personal data via Facebook. The judgment will have the greatest impact on the requirement for providing information to the users.
Moreover, the CJEU decided that the supervisory authority in one country has the authority to intervene in businesses in a different country, which went further than the German courts had thought possible.
By Kristian Foss, Kristin Haram Førde and Jenny Hovda, lawyers and partners in the Bull & Co. law firm.
How could this happen?
The case, which involves the German academy Wirtschaftsakademie
Schleswig-Holstein's use of Facebook, entered the judicial system in 2011. The
academy began using Facebook to create a fan page, where users received
information about products and offers. Through Facebook Insights, the academy
received anonymous user analyses from the fan page. The analyses communicated the
users' preferences and choices. Facebook used so-called behavioural tracking
cookies for this purpose, so the academy received useful information about
their users. Neither Facebook nor the academy informed the users that this was
The German supervisory authority ordered the academy to provide such information, but the academy argued that it was not responsible for providing the information, since the academy could not be the data controller.
The question was whether an administrator of a Facebook fan page could be considered a data controller, responsible for the processing that takes place on the fan page. It has already been established, and again emphasized in this matter, that Facebook is considered the data controller for Facebook activities. Following a long, detailed and concrete evaluation, the CJEU concluded that through the use of Facebook Insights, an administrator of a fan page will be considered a joint data controller with Facebook.
The main reason was that the academy itself selected Facebook as a platform and could affect the processing. For example, the administrator set a number of parameters. This way, an administrator could determine the categories of persons whose data Facebook would use, and thus contribute to the processing. An administrator could ask for demographic data for its target audience, such as gender, age, relationships, occupation, lifestyle, interests, and purchase history.
The background for the CJEU's evaluation was the high level of protection the directive requires. The requirement demands a broad interpretation of the term "data controller", in order to achieve the goal of providing efficient and complete protection. Here, the CJEU cited to the case against Google Spain.
The CJEU also made it clear that the administrator could be considered a data controller even if he did not process personal data directly (since the data was aggregated and only Facebook can connect to physical persons).
What does this mean for Norwegian companies?
Many Norwegian companies use Facebook fan pages as part of their marketing activities. If you are considered a data controller, you must provide so-called basis for processing, and there are other requirements for processing to be met. Basis for processing may be consent or legislation. Other requirements include the requirements for transparency, minimal and shortest possible processing, and certain other requirements.
As you may have noticed, the judgment is based on rules that apply/applied before GDPR come/came into force. That is, the Data Protection Directive, adopted in 1995, and Norway's implementation of the Personal Data Act of 2000. The evaluation is quite similar under GDPR, because the definition of data controller shall be interpreted similarly under GDPR and the directive. However, GDPR introduces a new definition and regulation of the "joint processing responsibility". The reason is the ever increasing complexity of modern processing of personal data.
The judgment comments that even if the administrator of a Facebook page is considered a data controller, the responsibility is not equal to Facebook's. The two parties are involved in processing at different stages and with different opportunities to influence. Responsibility must therefore be evaluated on a case by case basis. Facebook is the "main data controller". The administrator will not necessarily be able to affect how Facebook collects and processes all the data, so the outcome may be different compared to this case. Regardless, Facebook will be responsible for Facebook as a platform.
These are our recommendations:
Understand the platform. The judgment means that you cannot indiscriminately make use of social media platforms without learning how they work and how they are using your customers' and contacts' data. Therefore, make sure you read the terms and the privacy statements, so that you understand what it will mean for your customers and contacts to follow you on the particular social medium. What you need to know to be able to inform.
Secure a basis for processing. The CJEU points out that even if two businesses are joint data controllers, their duties may not be the same. This means that the requirements for the basis for processing may be different. However, as an administrator, you must make sure that you have a basis for the processing you are responsible for. The requirement is especially strict for users who are not Facebook members. Consent or eligible interest is probably the most functional basis.
Consider whether it relates to you. As mentioned, the Court's judgment was specific and concrete. If you use a different Facebook service, or another provider, you may not be considered a data controller. The question is how much influence you have on the processing. But given that you actually want to be the one to select the service, the threshold is probably low for you to be considered (joint) data controller.
Delegate responsibility. To prevent the pulverization of the responsibility between two data controllers, they need to formalize their cooperation. GDPR does not explicitly require an agreement, but it is the most practical solution. The agreement must address the requirement to inform. For businesses that have created Facebook pages, this responsibility must be delegated to Facebook, since it controls the main part of the service.
This article expands upon the topic discussed in an article in Dagens Næringsliv on 13.06.2018.
Feel free to contact us if you need help on this topic.
Kristin Haram Førde (firstname.lastname@example.org) - mobile +47 951 01 307
Kristian Foss (email@example.com) - mobile +47 970 62 655
Jenny Hovda (firstname.lastname@example.org) - mobile +47 936 91 555