European Court of Justice: The ECJ recently held that the data protection authority of the Member State in which the administrator has its seat may, under Directive 95/46/EC of the European Parliament and of the Council of 24-10-1995 on data protection (OJ 1995 L 281, p. 31), act both against the administrator and against the Facebook subsidiary established in that Member State.
In this case, a German company operated in the field of education and offered educational services inter alia by means of a fan page hosted on Facebook. Administrators of fan pages could obtain anonymous statistical data on visitors to the fan pages via a function called ‘Facebook Insights’ which Facebook made available to them free of charge under non-negotiable conditions of use.
By decision of 3-11-2011, the Independent Data Protection Centre for the Land of Schleswig-Holstein, Germany as supervisory authority (the authority) within the meaning of Directive 95/46 on data protection, ordered one of the administrators to deactivate its fan page. According to the authority, neither administrator nor Facebook informed visitors to the fan page that Facebook, by means of cookies, collected and processed personal data concerning them. Administrator brought an action against that decision before the Federal Administrative Court, Germany which asked ECJ to interpret Directive 95/46. Administrator argued that the processing of personal data by Facebook could not be attributed to it and it had not commissioned Facebook for that purpose.
ECJ started by observing that it was not disputed that the American company Facebook and, for the EU, Facebook Ireland must be regarded as ‘controllers’ responsible for processing the personal data of Facebook users and persons visiting the fan pages. Next, the Court found that an administrator must be regarded as a controller jointly responsible with Facebook Ireland for the processing of that data. Court observed that administrator takes part, by its definition of parameters (depending in particular on its target audience and the objectives of managing or promoting its own activities), in the determination of the purposes and means of processing the personal data of the visitors to its fan page. Administrator of the fan page can ask for demographic data and request its processing including in terms of age, sex, relationships and occupations, information on the lifestyles and centres of interests of the target audience telling the fan page administrator where to make special offers and organise events and more generally enabling it to target best the information it offers. So, an administrator who makes use and benefits from the associated services of Facebook cannot be exempted from compliance with its obligations concerning the protection of personal data.
In addition, the Court found that the authority was competent, for the purpose of ensuring compliance in German territory with the rules on the protection of personal data, to exercise with respect not only to administrators but also to Facebook Ireland all the powers conferred on it under the national provision transposing Article 28(3) of Directive 95/46. The same provision further entitles it to exercise those powers with respect to Facebook Germany even though it was not responsible for collecting and processing personal data due to division of work. [Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH, Case C-210/16, order dated 05.06.2018]