On 5 June 2018, the Court of Justice of the European Union (CJEU) handed down its long-awaited Facebook fan page judgement (Case C-210/16), holding that the operator of a fan page on Facebook is jointly responsible with Facebook for processing the data of visitors to the page. Only a day later, the Conference of German Data Protection Authorities (German DPAs) released a statement, titled ‘Time is up for not being responsible’ (Statement, available in German here), arguing that organisations do not meet data protection standards when operating a fan page on Facebook. Marketers in Germany and Europe are now uncertain whether they should take down their Facebook fan pages and any other social media presence. In this blog, we provide you with a first interpretation and a ‘first aid kit’.
Wirtschaftsakademie Schleswig-Holstein GmbH (Wirtschaftsakademie) operates a Facebook fan page and was ordered by the Schleswig-Holstein Data Protection Authority to deactivate the fan page. Neither Facebook Ireland Ltd nor Wirtschaftsakademie had been informing visitors of the functioning of cookies and subsequent processing of their data. Wirtschaftsakademie took this case to court, arguing essentially that it was not responsible for the processing of data by Facebook or cookies installed by Facebook.
The CJEU ruled that the operator of a fan page hosted on a social network must be considered a ‘data controller’.
The court began by noting that the concept of controller must be defined broadly as an entity that alone or jointly with others determines the purposes and means of the processing of personal data. It observed that, for the European Union, Facebook Ireland must be regarded as controller responsible for the processing of personal data of Facebook users and persons visiting the fan pages hosted on Facebook.
Next, the CJEU stated that the operator of a fan page hosted on Facebook is also a (co-) controller. The operator contributes to the processing of the visitors’ personal data by defining parameters in the creation of the fan page. In particular, the operator can request the processing of demographic data relating to its target audience (for example, age, sex, information on lifestyle and interests) and geographical data that allow the operator to target best the information it offers.
The case has now been referred back to the German Federal Administrative Court, which will decide whether the specific use of Facebook fan pages by Wirtschaftsakademie was compliant.