A majority of businesses have some sort of social media platform which they use to interact and engage with customers and clients – and social media is indeed a great way to connect with customers. However, much like many other areas of business, data protection and compliance still applies and should be treated accordingly.
On 5th June 2018 the Court of Justice of the European UnionA Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions. The Courts ensure the correct interpretation and application of primary and secondary EU law within the EU. It consists of two courts: the Court of Justice and the General Court. (CJEU) passed its judgement in Case C-210/16 Wirtschaftsakademie Schleswig-Holstein. This concerned the Wirtschaftsakademie’s Facebook fan page which the data protection authority of Schleswig-Holstein, Germany, sought to deactivate.
The reason for the push to deactivate the page was based on Wirtschaftsakademie’s failure to warn visitors to their fan page that their personal dataInformation which relates to an identified or identifiable natural person. would be collected by cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences.. In a decision that has taken much of the data protection community by surprise, the CJEU ruled that an administrator of a Facebook fan page is a joint controller alongside the social media giant itself. Although this judgement is made under the Data Protection Directive 95/46/ECA European Union Directive regulating the processing of personal data within the European Union in which the previous Data Protection Act 1998 enacted. The GDPR has superseded this regulation., which has been replaced by the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR), the principles on which the judgement has been based are materially the same as those of the GDPR.
The Advocate General established, in relation to Wirtschaftsakademie, sufficient control over the processing activity and the purpose of the processing activity. This essentially lead the Advocate General to disagree with the referring court’s ruling that Wirtschaftsakademie is not a controller as it has no control or influence over the processing of personal data by Facebook. In fact, the case highlights two key points:
So, what does this mean for fan page owners going forward? In summary, this judgement, if followed by the court means creators of Facebook fan pages will be as liable as Facebook for the processing of personal data in connection with their fan page.
This case highlights the complexities of data protection provisions. At the DPO Centre, one of the first matters we assess for our clients is their role in contractual relationships. Are you a controller or a processor? Are you a joint controller or are you simply a data source? A few questions to help you begin to determine the part you play are:
Who determines the purpose of the data processing and who benefits from achieving this purpose? Who has the power to start and, arguably the more important question, who has the power to end the processing?
For a deeper assessment of your contractual relationships and the consequential responsibilities, feel free to get in touch via our contact us page.