Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH

Wirtschaftsakademie (‘W’) was an online education provider. It established and administered a Facebook ‘fan page’ to promote its business, which allowed it to obtain anonymous statistical information about its customers. The supervisory authority in Schleswig-Holstein (Germany) (‘ULD’) ordered W to deactivate the fan page on the ground that neither W nor Facebook Ireland Ltd (‘Facebook’) informed visitors that – by placing cookies on the devices of visitors to the fan page – Facebook was collecting and processing their personal data.

W brought a complaint against the decision, which the ULD dismissed. W then brought a successful action in the Verwaltungsgericht (Administrative Court), which the ULD appealed to the Oberverwaltungsgericht (Higher Administrative Court) and then to the Bundesverwaltungsgericht (Federal Administrative Court). The Federal Administrative Court considered that W was not a ‘controller’ within the meaning of Article 2(d) of Directive 95/46 (‘the Directive’). It also expressed doubts as to the powers of the ULD with respect to Facebook Germany GMbH, given that Facebook Ireland was responsible for the collection and processing of personal data for Facebook within the EU. It referred the proceedings to the CJEU under the preliminary ruling procedure.

(1) Is the administrator of a fan page hosted on a social network a ‘controller’ of personal data within the meaning of Article 2(d)?

(2) Where a parent company has several establishments in different Member States, is a supervisory authority entitled to exercise powers with respect to the establishment in their territory, even if an establishment in another Member State has exclusive responsibility for collecting and processing personal data for the group?

(3) Can a supervisory authority exercise its powers of intervention against an establishment within its territory, without first calling on the supervisory authority in the Member State where the entity has its establishment responsible for collecting and processing data to intervene?

(1) Yes. The operator of a social network and the administrator of a fan page are jointly responsible for the processing of personal data, even if their roles are not equal.

In the present case, Facebook Inc and Facebook Ireland primarily determined the purposes and means of processing the personal data of Facebook users and persons visiting the fan pages, and therefore fell within the concept of ‘controller’ within the meaning of Article 2(d) of the Directive.  However, W could also be regarded as a controller as it took part in determining the purposes and means of processing the personal data of the visitors to its fan page. Relevantly:

1. by creating a fan page, an administrator gives Facebook the opportunity to place cookies on the computer or device or a person visiting the fan page;
2. the creation of a fan page involves the “definition of parameters by the administrator”, which has an influence on the processing of personal data for the purposes of producing statistics based on visits to the fan page. For example, the administrator can choose filters to define the criteria for statistics to be drawn up. In particular, the administrator can ask for (and therefore request the processing of) demographic data relating to its target audience to enable it to target its customers, including trends in terms of age, sex, relationship, occupation, lifestyles, centres of interest, purchasing habits and geography.

(2) Yes. It follows from a reading of Article 4 of the Directive in conjunction with Articles 28(1) and (3) that, where the national law of the Member State of the supervisory authority applies (because the processing is carried out in the context of activities of an establishment of the controller in the territory of the Member State), that supervisory authority can exercise all the powers conferred on it by that law in respect of that establishment. This is regardless of whether the controller also has establishments in other Member States.

In the present case, German law was applicable to the processing of personal data at issue. First, it was common ground that Facebook Inc had a permanent establishment in Germany within the meaning of Article 4(1)(a) of the Directive. Second, Facebook Germany carried out activities addressed to persons residing in Germany, including selling advertising space. As a result, ULD was competent for the purpose of ensuring compliance in German territory with the rules on the protection of personal data. The fact that strategic decisions on the collection and processing of personal data were taken by Facebook Ireland was not capable of calling this competence into question.

(3) Yes. Pursuant to the second subparagraph of Article 28(1) of the Directive, supervisory authorities are to act with complete independence in exercising the functions entrusted to them. Although Article 28(6) requires supervisory authorities to cooperate with each other (in particular by exchanging useful information), the Directive does not lay down any criterion of priority.

In the present case, the ULD was entitled to assess, independently of the assessments made by the Irish supervisory authority, the lawfulness of the data processing at issue in the main proceedings.

This decision is consistent with the broad approach to ‘controller’ in Article 2(d), which is intended to ensure effective and complete protection of data subjects: Google Spain C-131/12 at [34]. However, the CJEU included the important proviso that “the existence of joint responsibility does not necessarily imply equal responsibility”, and “the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case”. This highlights the need for fact-sensitive assessment of the tasks performed by each controller at different stages of the data processing – and may mean that at a particular stage, there is only one controller.

The outcome is an important reminder to the administrators of fan pages (however small) to take active steps to notify data subjects and/or obtain consent, rather than relying on the social networking platform to do so. The CJEU emphasised that Facebook fan pages can be accessed by persons who are interested in the administrator’s business, but are not members of Facebook. In these circumstances, the CJEU considered that the responsibility of the administrator was “even greater”.

It should be noted that the Directive did not use the term “joint controllers”, although Article 2(d) defined controller as a body which alone or jointly determined the means and processing of personal data. The concept of “joint control” is now formalised in Article 26 of the GDPR, which requires joint controllers to determine their respective responsibilities for compliance in a transparent manner, and make this arrangement available to data subjects.

Judgment