Users may be responsible for Facebook’s activity
The recent judgement of the Court of Justice of the EU (CJEU) will not please many administrators of ‘fan pages’ hosted on Facebook: in its ruling in case C 210/16 ULD vs. Wirtschaftsakademie, the CJEU concluded that the administrator is in the position of a personal data controller, and therefore responsible for the processing of fan page’s visitors’ personal data.
The dispute started when the German Data Protection Authority ordered Wirtschaftsakademie, a company providing educational services through its website, to deactivate its fan page on Facebook. The German authority supported its decision by claiming an infringement of the information duty, as the visitors of the fan page were not warned that their personal data were being processed. The processing, comprising placement of cookies on the visitor’s hard disks and their subsequent use, was done solely by Facebook, and the fan page administrator neither had any control over the processing, nor any access to the personal data. Facebook only allowed the fan page administrator to view anonymised statistical reports.
The case eventually appeared before the German Federal Administrative Court, which referred to the CJEU to clarify whether Wirtschaftsakademie may indeed be considered a data controller.
In terms of responsibility for personal data processing, it is of key importance to determine the position of the entity. Generally, entities may be in the position of a personal data controller (e.g. an employer in relation to its employees), a personal data processor (e.g. an external accounting firm hired by the employer), or may not process personal data at all. The personal data controller has the primary responsibility for data processing, while there may be several controllers for a single processing, in which case they are jointly responsible. Under the GDPR, and under the previous regulation, the controller is the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.
In the case in question, the CJEU, as expected, confirmed that Facebook was in the position of the personal data controller. Yet, surprisingly, it also held that the administrator of a fan page hosted on Facebook may be a data controller as well. According to the court, by setting up the page (for instance determining the target audience and the purpose of promoting its activities), the administrator participated in determining the purpose and means of processing the fan page’s visitors’ personal data, jointly with Facebook.
In this ruling, the CJEU interpreted the definition of a personal data controller very extensively. This puts fan page administrators in a rather difficult position: they may be held responsible for personal data processing done by Facebook while not having any influence over it. And, as we already know from the Cambridge Analytica case, Facebook is not all too worried about sticking to rules.