The ground-breaking case arises out of a decision made by the data protection authorities in Schleswig-Holstein concerning an educational institution that was ordered to deactivate its fan page on Facebook. The decision was based on the fact that neither the educational institution nor Facebook informed the visitors that their personal data were collected by cookies when they accessed the fan page in question.
Data were collected through one of Facebook’s functions: ‘Facebook Insight’.
Facebook Insight is a tool whereby controllers of fan pages can collect anonymous statistical user data. Data are collected by cookies containing a user code, which Facebook stores on the user’s phone, tablet, or computer. Subsequently, the unique user code may be linked to user data already in Facebook’s possession and thus identify the user.
The data protection authorities’ decision was brought before the European Court of Justice in order to obtain a position on the group of persons responsible for the collection of data on visitors to the Facebook fan page.
The European Court of Justice: Controllers are jointly responsible with Facebook
The European Court of Justice ruled that a controller of a fan page on Facebook shall be jointly responsible with Facebook for the collection and processing of personal data on visitors accessing the fan page in question.
The European Court of Justice’s establishment of joint responsibility for the collection and processing of data relies on the fact that the controller of a fan page is co-responsible with respect to the purpose of and tools for the collection of personal data, because the controller may define the criteria used for the collection of data on the fan page through filters provided by Facebook. Thereby, the controller of the fan page contributes to the processing of the visitors’ personal data and must thus be considered jointly responsible with Facebook for the data.
The European Court of Justice emphasized in its ruling that the controller may request several demographic data on a target audience with a view to focus information about events and offers towards the specific group, including data on age, gender, relationship status, work, lifestyle and interests.
The European Court of Justice stated that joint data responsibility does not imply that all data responsible operators are responsible to the same extent, but that the individual operator’s level of responsibility must be assessed considering all the circumstances of the case.
The ruling shows that …
The ruling shows that businesses, organizations, etc. using the Facebook platform may be responsible for Facebook’s failure to comply with the personal data rules.
It should be emphasized that the joint data responsibility applies even though the controller of the fan page only gets access to the users’ anonymized demographic data and thus no access to the original personal data.
Joint data responsibility implies that the co-responsible controller is required to comply with the rights of data subjects in accordance with the data protection regulation, including the rights of access, erasure, rectification, etc.
For organizations and businesses that are already using or considering using Facebook as a platform for creating fan pages, it is therefore essential first to assess the risk that the joint data responsibility entails for the organization or business in question, especially whether the organization or business is able to comply with the obligations pursuant to the data protection regulation.
