'Data controller' concept expanded by EU court ruling

Out-Law Analysis | 05 Jun 2018 | 4:48 pm | 4 min. read

ANALYSIS: More organisations will be considered to be 'data controllers' and fully subject to data protection law as a result of a new ruling issued by the EU's highest court.

On Tuesday, the Court of Justice of the EU (CJEU) ruled that the administrators of 'fan pages' on Facebook should be considered to be joint controllers of the personal data processed about people who access those pages.

The ruling concerned a German educational services provider which operates a fan page on Facebook, but it will impact all organisations that have an influence over how personal data is processed, even if they do not primarily determine the purposes and means of the processing or have access to the data.

The judgment represents a significant broadening of the concept of data controllership under EU data protection law.

The case

The case considered by the CJEU has a long history. It concerns a dispute over data processing carried out in connection with a fan page on Facebook. The administrator of the fan page is German organisation Wirtschaftsakademie Schleswig-Holstein, which provides educational services.

In 2011, the data protection authority in the German state of Schleswig-Holstein took issue with data processing relating to the Wirtschaftsakademie fan page.

According to the CJEU's ruling, the watchdog ordered Wirtschaftsakademie to deactivate its fan page after raising concern that neither it nor Facebook had informed people visiting the page that cookies were being used to gather information about them.

However, Wirtschaftsakademie challenged the data protection authority's order. It argued that Facebook and not it was not responsible for the data processing.

The case has progressed up through the German courts and is now being considered by Germany's Federal Administrative Court. It asked the CJEU to help it interpret EU data protection law before it issues a ruling on the matter.

The law

Under EU data protection law it is possible for more than one organisation to be considered a 'controller' of how personal data is processed.

Organisations are considered to be data controllers where they alone or jointly determine the purposes and means of the processing of personal data.

The distinction between a 'data controller' and a 'data processor' is important. Under EU data protection laws, data controllers have overarching responsibility for personal data that is processed, even where the processing is carried out by others. In contrast, mere data processors have fewer responsibilities, albeit their obligations have increased under the new General Data Protection Regulation (GDPR).

The CJEU's judgment

In its ruling, the CJEU held that Facebook was a data controller of the personal data processed about its users and other visitors to fan pages hosted on its platform.

This, the CJEU said, is because the company is "primarily determining the purposes and means of processing" of that data.

However, the court also ruled that Wirtschaftsakademie was a joint data controller in respect of the personal data processed about visitors to its fan page. This is because the organisation has an influence over the data processing, and is despite the fact it does not have access to the data processed other than in anonymised form for statistical purposes, it said.

The CJEU considered that Wirtschaftsakademie helped to set the "parameters" by which the personal data about visitors to its page was processed.

The CJEU said: "The creation of a fan page on Facebook involves the definition of parameters by the administrator, depending inter alia on the target audience and the objectives of managing and promoting its activities, which has an influence on the processing of personal data for the purpose of producing statistics based on visits to the fan page. The administrator may, with the help of filters made available by Facebook, define the criteria in accordance with which the statistics are to be drawn up and even designate the categories of persons whose personal data is to be made use of by Facebook. Consequently, the administrator of a fan page hosted on Facebook contributes to the processing of the personal data of visitors to its page."

"In particular, the administrator of the fan page can ask for – and thereby request the processing of – demographic data relating to its target audience, including trends in terms of age, sex, relationship and occupation, information on the lifestyles and centres of interest of the target audience and information on the purchases and online purchasing habits of visitors to its page, the categories of goods and services that appeal the most, and geographical data which tell the fan page administrator where to make special offers and where to organise events, and more generally enable it to target best the information it offers," it said.

"While the audience statistics compiled by Facebook are indeed transmitted to the fan page administrator only in anonymised form, it remains the case that the production of those statistics is based on the prior collection, by means of cookies installed by Facebook on the computers or other devices of visitors to that page, and the processing of the personal data of those visitors for such statistical purposes. In any event, [EU data protection law] does not, where several operators are jointly responsible for the same processing, require each of them to have access to the personal data concerned," the court said.

The ruling's impact

The CJEU's judgment means that any organisation that has an influence over how personal data is processed could be considered a data controller, not just in the context of fan pages on Facebook.

In this respect, organisations that may not have previously considered themselves 'data controllers' could be forced to do so.

In practice, this could mean ensuring their joint data controller has issued appropriate fair processing notices and obtained any necessary consents to the processing of data.

In addition, they should be ready to handle subject access requests and requests to delete data – even if this just means passing those requests on to the other joint controller – even if they do not primarily determine the way the data is processed or even have access to it in identifiable form.

However, there may be challenges for businesses where the joint controllers they engage with use standard contract terms that do not recognise these circumstances.

Given the potential penalties that can be levied under the GDPR, it is now incumbent on data protection authorities in light of this ruling to apply common sense when considering the factors that joint controllers have control over when using service providers that primarily determine how personal data is processed.

Marc Dautlich and Claire Edwards are data protection law experts at Pinsent Masons, the law firm behind Out-Law.com.