CJEU - C-210/16 - Facebook Fanpages

From GDPRhub
Revision as of 15:19, 30 October 2020 by Elaine (talk | contribs) (I put a full stop after Directive 95/46 and added the word Also in the last sentence)
CJEU - Case C-210/16 Facebook Fan pages
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Article 1 Directive 95/46
Article 17 Directive 95/46
Article 2 Directive 95/46
Article 24 Directive 95/46
Article 28 Directive 95/46
Article 4 Directive 95/46
Recital 10 Directive 95/46
Recital 18 Directive 95/46
Recital 19 Directive 95/46
Recital 26 Directive 95/46
Paragraph 11 German Federal Law on Data Protection (BDSG)
Paragraph 3(7) German Federal Law on Data Protection (BDSG)
Paragraph 38(5) German Federal Law on Data Protection (BDSG)
Paragraph 12 German Law on Electronic Media 2007 (BGBI)
Decided: 05.06.2018
Parties: Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
Wirtschaftsakademie Schleswig-Holstein GmbH
Case Number/Name: Case C-210/16 Facebook Fan pages
European Case Law Identifier: ECLI:EU:C:2018:388
Reference from: Federal Administrative Court
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: Elaine Thuo

The case involved the German Data Protection Supervisory Authority (ULD) and a public law company, Wirtschaftsakademie. The Supervisory Authority ordered the company to deactivate its fan page on Facebook or pay a fine due to lack of compliance with the data protection laws. The company objected to this decision and lodged a complaint to ULD against its decision. ULD dismissed the appeal after which the company lodged a formal complaint in the Administrative Court. The matter was appealed all the way to the Federal Administrative Court and later to the Court of Justice of the European Union where it was held that an administrator of a fan page may fall within the definition of a controller under Article 2(d) of Directive 95/46. Also, the supervisory Authority in-charge in the member state of the establishment has authority to ensure compliance with data protection laws.


English Summary

Facts

The company offered educational services through a fan page hosted by Facebook. As administrators, they obtained statistical information on visitors to the fan page via Facebook Insights offered by Facebook free of charge under non-negotiable conditions of use. The information was obtained using cookies, each containing a unique user code, stored by Facebook in the devices of visitors and were active for two years. The unique code could be matched with users registered on Facebook and their personal data was collected when the fan page was opened. Neither the company nor Facebook notified users/visitors of the fan page of the storing of cookies or processing of their personal data.

Dispute

The Independent Data Protection Centre Germany, (ULD) made a decision on 3rd November 2011 against the company ordering them to deactivate the fan page within the prescribed period or pay a penalty fine on grounds that: 1. Neither Facebook nor the company notified the users that Facebook collected Personal data of the users; 2. That Facebook processed personal data of the users The company brough a dispute against that decision arguing that it was not responsible for the processing of personal data under the data protection law. This dispute went back and forth from the Administrative Court to the Federal Court who referred the matter to the CJEU seeking clarifications on whether an administrator of a fan page hosted by a social network is a controller within the definition under Article 2 (d)of Directive 95/46.


Holding

The CJEU held that the mere fact of using a social network doesn’t make the user a controller responsible for processing personal data. However, an administrator who creates a fan page, consents to the use policy, cookies policy, defines the objectives and promotes its activities has an influence on the processing of personal data for the purpose of producing a statistical report, by Facebook, on the fan page, whether anonymized or not. Thus, the administrator is a joint controller with Facebook under Article 2(d) Directive 95/46.

It also held that, as a joint controller with Facebook, the administrator’s responsibility is not equal to that of Facebook because they may be involved at different stages of that processing of personal data and to different degrees.


Comment

Administrators of fan pages on a social network should be keen on the purpose of their page. The context of the purpose is crucial in determining whether an administrator would be regarded as a joint controller with a social network or not.

Further Resources

Share blogs or news articles here!