European Union: Facebook Responsible For Fan Pages On Platform And Liable To Answer To Data Protection Authority Of Each Member State

On 24 October 2017, Advocate General ("AG") Bot delivered an opinion in response to a number of preliminary questions referred to the Court of Justice of the European Union ("ECJ") by the German Federal Administrative Court (Bundesverwaltungsgericht) in a dispute relating to a Facebook fan page.

Fan page administrators of Facebook fan pages can view statistics with regard to their fan page through the tool Facebook Insights, which allows them to tailor their communications to their followers accordingly. In order to compile these statistics, at least one cookie containing a unique ID number, active for two years, is stored by Facebook on the hard disk of every person who visits the fan page. A dispute regarding this practice arose between the Wirtschaftsakademie Schleswig-Holstein GmbH, a company specialising in the field of education which owns a Facebook  fan page ("the Wirtschaftsakademie"), and the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, a regional data-protection authority in Schleswig-Holstein ("ULD"). ULD ordered the Wirtschaftacademie to deactivate the fan page.

The issue was eventually brought before the German Federal Administrative Court which referred a number of questions to the ECJ.

The first question sought to know whether supervisory authorities can exercise their powers of intervention against a body that cannot be regarded as a controller within the meaning of Article 2(d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("the Data Protection Directive"). In this regard, the AG was of the opinion that Facebook Inc, Facebook Ireland and the Wirtschaftsacademie must be regarded as jointly responsible for the data processing. The AG also explained that the possibility of joint controllers is explicitly mentioned in Article 2(d) of the Data Protection Directive and that the case law of the Court gives the concept of "controller" a broad definition. Under such a definition, it is not necessary for any one joint controller to have complete control over all aspects of the data processing.

The second question was whether the German supervisory authority is entitled to exercise its powers of intervention with a view to stopping the personal data processing and against what party such powers may be exercised. In this regard, the AG was of the opinion that Article 4(1)(a) of the Data Protection Directive should be interpreted as meaning that processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State, when an undertaking operating a social network sets up a subsidiary in that Member State which is intended to promote and sell advertising space offered by that undertaking and which directs its activities toward residents in that Member State.

Also, the AG was of the opinion that in a situation in which the national law which applies to the processing of personal data in question is that of the Member State to which a supervisory authority belongs, Article 28(1), (3) and (6) of the Data Protection Directive should be interpreted as meaning that that supervisory authority may exercise all the powers of intervention conferred on it in accordance with Article 28(3) of the Data Protection Directive against the controller, even if the controller is established in another Member State or a third country.

Third and finally, the AG gave his opinion on whether Article 28(1), (3) and (6) of the Data Protection Directive must be interpreted as meaning that the supervisory authority of the Member State in which the establishment of the controller (Facebook Germany) is located is entitled to exercise its powers of intervention autonomously and without being required to call first on the supervisory authority of the Member State in which the other joint controller (Facebook Ireland) is located to exercise its powers. The AG explained that the Data Protection Directive does not provide for a country-of-origin principle or a one-stop-shop mechanism. As a result, a controller which has establishments in several Member States is fully subject to the supervision of several supervisory authorities if the laws of the Member States to which those authorities belong apply. Consequently, the supervisory authority of the Member State in which the establishment of the controller is located is entitled to exercise its powers of intervention against that controller autonomously and without being required to call first on the supervisory authority of the Member State in which the controller is located.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.