In its decision C-210/16 of 5 June 2018, the European Court of Justice (ECJ) ruled on a dispute between a German academic institution and a German data protection authority. The institution operated a fan page on Facebook and collected user data via cookies, which were placed by means of a function called "Facebook Insights". The purpose of the data collection was to provide statistics to administrators of fan pages and to publish targeted advertisements. The data protection authority ordered the institution to stop collecting the data and to deactivate its fan page, since the authority identified deficiencies in the information provided about the data collection.

The institution challenged the order by denying its legal liability for the processing of personal data on Facebook. It also denied having provided instructions to Facebook as regards data processing and claimed that the German data protection authority should have taken action directly against Facebook, not against the institution.

The appeal proceedings examined whether the institution could take the position of a data controller (in terms of German data protection law) or whether that position pertains solely to Facebook. The Bundesverwaltungsgericht ultimately asked the ECJ for clarification.

Considerations of the ECJ

The ECJ ruled as follows:

  • The ECJ understood fan pages to be user accounts set up on Facebook by individuals or businesses. They serve to introduce oneself to users and to post communications. The ECJ further understood that Facebook Insights places cookies on the computer of a user visiting the fan page. Facebook receives information via those cookies.
     
  • ! Based on this understanding, the ECJ generally ruled that the mere use of Facebook does not make the user responsible for the processing of personal data on Facebook.
     
  • However, the ECJ took into consideration that Facebook Insights allows the administrator of a fan page to place cookies on the computer of a user visiting the fan page.

    Facebook provides statistics about user behaviour based on the information collected thought those cookies. !  In the view of the ECJ, the fan page administrator must therefore be seen as a controller responsible for that processing jointly with Facebook.
     
  • The ECJ emphasised that fan pages can also be visited by third parties that are not Facebook users and so do not have a user account on Facebook. The Court regarded the liability of the fan page administrator for such third parties even higher. !  However, the Court did not necessarily see equal liability in all circumstances, so that the level of liability of both Facebook and the administrator must be assessed with regard to the relevant circumstances of the case.
     
  • The ECJ further attributed the data processing to Facebook Germany, even though it was not directly involved in the present scenario. Consequently, according to the ECJ, German data protection law is applicable to Facebook's processing in Germany and German data protection authorities are competent to apply that law to Facebook Germany.

 

Potential impact of the ruling

The facts of the case were triggered between 2011 and 2013, and the ruling is about interpreting the EU Data Protection Directive. However, the Court's qualification of the administrator of a fan page on Facebook as a data controller arguably is equally valid under the GDPR. To the extent the ECJ has qualified the co-action between Facebook and the administrator as a matter of joint responsibility, there is no doubt proximity to the GDPR's concept of joint controlling under Art. 26. Also, in line with its decision C-582/14, where the ECJ qualified IP addresses as essentially to be personal data, it comes as no surprise that the ECJ did not further discuss the question but simply accepted the information Facebook collects via cookies placed through Facebook Insights as personal data. It remains to be seen how Facebook will react to that ruling. So far, the company has provided a statement in which it denied immediate implication and pointed out that the ruling was about the Data Protection Directive, which is not in effect any more. However, Facebook is likely to take up the legal parallelism to the GDPR by changing its terms of use to reflect regulations on joint controlling, in line with Art. 26 GDPR. Meanwhile, operators of Facebook online presences should reflect the adjustments of their services used on Facebook, in particular their cookie settings, in order to verify whether and to what extent their current use of Facebook might correlate with the ruling of the ECJ. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.