Have you set up a fan page on Facebook for your enterprize or to boost your fan base? The European Court of Justice has some news for you.
As you may know, administrators of Facebook fan pages can obtain anonymous statistical data on visitors to their fan pages via a function called “Facebook Insights”, which Facebook makes available to them free of charge under non-negotiable conditions of use. The data is collected by means of cookies, which are active for two years and are stored by Facebook on the hard disk of the computer or on another device of visitors to the fan page. The user code, which can be matched with the connection data of users registered on Facebook, is collected and processed every time the fan pages are opened.
By decision of 3 November 2011, a local German supervisory authority in Schleswig-Holstein, ordered Wirtschaftsakademie, a fan page administrator, to deactivate its fan page.
According to the supervising authority, neither Wirtschaftsakademie nor Facebook informed visitors to the fan page that Facebook, by means of cookies, collected personal data concerning them and then processed the data.
Wirtschaftsakademie brought an action against that decision before the German administrative courts, arguing that the processing of personal data by Facebook could not be attributed to it, and that it had not commissioned Facebook to process data that it controlled or was able to influence. Wirtschaftsakademie concluded that the Unabhängiges Landeszentrum should have acted directly against Facebook instead of against it.
It is in that context that the European Court of Justice was asked to interpret Directive 95/46 on data protection. The Court delivered Judgment in Case C-210/16, whereby it observed that an administrator such as Wirtschaftsakademie must be regarded as a controller jointly responsible, within the EU, with Facebook Ireland for the processing of that data.
Such an administrator takes part, by its definition of parameters (depending in particular on its target audience and the objectives of manging or promoting its own activities), in the determination of the purposes and means of processing the personal data of the visitors to its fan page. In particular, the Court noted that the administrator of the fan page can ask for demographic data (in anonymised form) – and thereby request the processing of that data – concerning its target audience (including trends in terms of age, sex, relationships and occupations), information on the lifestyles and centres of interests of the target audience (including information on the purchases and online purchasing habits of visitors to its page, and the categories of goods or services that appeal the most) and geographical data, telling the fan page administrator where to make special offers and organise events and more generally enabling it to target best the information it offers.
According to the Court, the fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data.
The Court further stated that, where the supervisory authority of a Member State (in this case, the German supervisor) intends to exercise with respect to an entity established in the territory of that Member State (in this case, Wirtschaftsakademie) the powers of intervention provided for in Directive 95/46, on the ground of infringements of the rules on the protection of personal data committed by a third party responsible for the processing of that data whose seat is in another Member State (in this case, Facebook Ireland), that supervisory authority is competent to assess, independently of the supervisory authority of the other Member State (Ireland), the lawfulness of such data processing and may exercise its powers of intervention with respect to the entity established in its territory without first calling on the supervisory authority of the other Member State to intervene.
The above judgment comes to reiterate that there must be no gaps in responsibility under data-protection law. This means specifically that all administrators of Facebook Pages have to ensure that they and Facebook conform to their respective obligations under data protection law.
Such a joint responsibility is particularly important with regard to a controller’s information obligations: transparency is required for the processing of data concerning all users, whether they are member of Facebook or non-members.