On 5 June 2018, the Court of Justice of the European Union (the "ECJ") delivered a judgment in response to a request for a preliminary ruling from the Bundesverwaltungsgericht (Federal Administrative Court, Germany – the "Court") concerning the interpretation of Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "Directive") (ECJ, 5 June 2018, case C-210/16, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH).

The case concerned a fan page hosted on Facebook by Wirtschaftsakademie Schleswig-Holstein GmbH, a company operating in the field of education ("Wirtschaftsakademie"). The Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (the supervisory authority within the meaning of Article 28 of the Directive, with the task of supervising the application of data protection rules in the German Bundesland of Schleswig-Holstein (Germany), the "ULD") ordered Wirtschaftsakademie to deactivate the fan page it had set up on Facebook. According to the ULD, this processing was illegal since neither Wirtschaftsakademie nor Facebook had informed the fan page visitors that Facebook collected personal data concerning them through the use of cookies.

Wirtschaftsakademie challenged that decision, arguing essentially that it was not responsible under data protection law for the processing of the data by Facebook or the cookies which Facebook installed. In a judgment of 9 October 2013, the Verwaltungsgericht (Administrative Court) annulled the challenged decision. The ULD appealed to the Oberverwaltungsgericht (Higher Administrative Court), but the Oberverwaltungsgericht dismissed the ULD's appeal against the judgment. Finally, the ULD appealed to the Court which then decided to stay the proceedings and refer a number of questions to the ECJ for a preliminary ruling.

The ECJ held that the concept of "controller" in the Directive must be interpreted broadly, and must be interpreted in such a manner that it encompasses the administrator of a fan page hosted on a social network such as Facebook. Consequently, Wirtschaftsakademie must be regarded as a controller under the Directive.

Furthermore, with regard to the competence of the ULD, the ECJ held that Articles 4 and 28 of the Directive must be interpreted in such a manner that the ULD has jurisdiction to enforce Facebook's compliance with data protection laws because Facebook has an establishment in Germany. The ECJ specified that the fact that Facebook's establishment in Germany is responsible solely for the sale of advertising space and other marketing activities in Germany, while the exclusive responsibility for collecting and processing data belongs, for the entire territory of the European Union, to an establishment situated in Ireland, is not relevant to this question.

Finally, the ECJ concluded that the ULD is competent to assess the lawfulness of the data processing, independently of the supervisory authority of another Member State, and may exercise its powers of intervention with respect to the entity in its territory (in the case at hand, Facebook) without first calling on the supervisory authority of the other Member State to intervene. In other words, the ECJ held that the ULD is competent to assess Facebook's compliance with data protection laws, without having to take into account the opinion of, for example, the Irish data protection regulator. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.