- June 14, 2018
- Data Protection
A majority of businesses have some sort of social media platform which they use to interact and engage with customers and clients – and social media is a great way to connect with customers, however, much like many other areas of business, data protection and compliance still applies and should be treated accordingly.
On 5th June 2018 the Court of Justice of the European Union (CJEU) passed its judgment in Case C-210/16 Wirtschaftsakademie Schleswig-Holstein. This concerned the Wirtschaftsakademie’s Facebook fan page which the data protection authority of Schleswig-Holstein, Germany, sought to deactivate.
The reason for the push to deactivate the page was based on Wirtschaftsakademie’s failure to warn visitors to their fan page that their personal data would be collected by cookies. In a decision that has taken much of the data protection community by surprise, the CJEU ruled that an administrator of a Facebook fan page is a joint controller alongside the social media giant itself. Although this judgment is made under the Data Protection Directive 95/46/EC, which has been replaced by the General Data Protection Regulation (GDPR), the principles on which the judgment has been based are materially the same as those of the GDPR.
The Advocate General established, in relation to Wirtschaftsakademie, sufficient control over the processing activity and the purpose of the processing activity. This essentially lead the Advocate General to disagree with the referring court’s ruling that Wirtschaftsakademie is not a controller as it has no control or influence over the processing of personal data by Facebook. In fact, the case highlights two key points:
- As well as facilitating the fulfilment of purposes for Facebook, namely enabling Facebook to target advertisements to the fan page visitors by tracking their web browsing habits, the cookies on the page fulfilled purposes for Wirtschaftsakademie by compiling viewing statistics for Wirtschaftsakademie.
- Wirtschaftsakademie has substantial control over the processing activity as without the participation of Wirtschaftsakademie the data processing could not occur; and they could end the processing of personal data by closing the fan page down. Therefore, it was decided that the fan page owner plays an active role in determining the means and purpose of the processing of personal data.
So, what does this mean for fan page owners going forward. In summary, this judgment, if followed by the court means creators of Facebook fan pages will be as liable as Facebook for the processing of personal data in connection with their fan page.
This case highlights the complexities of data protection provisions. At the DPO Centre, one of the first matters we assess for our clients is their role in contractual relationships. Are you a controller or a processor? Are you a joint controller or are you simply a data source? A few questions to help you begin to determine the part you play are:
Who determines the purpose of the data processing and who benefits from achieving this purpose? Who has the power to start and, arguably the more important question, who has the power to end the processing?
For a deeper assessment of your contractual relationships and the consequential responsibilities, feel free to get in touch via our contact us page.