German DPA against Facebook for processing data without permission

On October 24, 2017, Advocate General Bot issued his preliminary opinion in case C‑210/16, opining on the definition of a data controller, applicable national law, and jurisdiction under EU data protection law under Directive 95/46/EC. The opinion is not binding but if followed by the European Court of Justice (CJEU), EU companies that have been advertising through Facebook might be considered data controllers and be accused of infringing national data protection laws.

After Facebook’s privacy policy changes in January 2015, several EU Data Protection Authorities, including the Hamburg DPA, started investigations in accordance with the provisions of their national legal systems. See here.

The Hamburg DPA has issued two different orders relating to the Facebook Group.

One case was centered around the use of pseudonyms. In this case, the request for a preliminary ruling to the CJEU, Case C-210/16, concerned the legality of an order made by the Hamburg DPA (HmbBfDI, Hamburgischen Beauftragten für Datenschutz und Informationsfreiheit) against an education company required to deactivate a fan page hosted by Facebook Ireland, the entity that Facebook Inc designated as EU controller of personal data. (A Facebook fan page is a special Facebook user account that individuals and businesses can set up in order to promote themselves)

The German DPA alleged that, by failing to inform end users visiting the fan page that their data would be automatically collected by Facebook via cookies, the fan page infringed a variety of provisions of German data protection law implementing Directive 95/46. Data was collected via Facebook to compile anonymous statistical information both for the benefit of advertising company and of Facebook, which would refine its targeted advertising.

The education company argued that it was not responsible for the activities carried out by Facebook, including the automatic installation of cookies on end users’ computing equipment, and therefore it was not a data controller in respect of such personal data processing, and so it should not be subject to the jurisdiction of the German DPA.

To decide the issue, the Bundesverwaltungsgericht (the German Federal Administrative Court) requested a preliminary ruling from the European Court of Justice to decide about the definition of data controller, applicable national law, and jurisdiction under applicable EU data protection law.

On October 24, 2017, Advocate General Bot highlighted the following points:

The concept of controller is far reaching. The administrator of a fan page on a social network is responsible – as a controller within the meaning of Article 2(d) of Directive 95/46 – for the processing of personal data consisting in the collection by that social network of data relating to people who visit the fan page.

The administrator of a fan page on the Facebook social network must be regarded as being, along with Facebook Inc. and Facebook Ireland, a controller of the processing of personal data that is carried out for the purpose of compiling viewing statistics for that fan page”.

He clarified that the existence of shared responsibility does not imply equal responsibility. On the contrary, the various controllers may be involved in the processing of personal data at different stages and to differing degrees.

Basically, companies creating their own website and utilizing tools similar to those made available through Facebook for the purposes of managing fan pages, could be considered controllers.

According to Mr. Bot, Directive 95/46 [Articles 17(2), 24 and 28(3)] must be interpreted as

permitting supervisory authorities to exercise their powers of intervention against a body that shall be regarded as a ‘controller’ within the meaning of Article 2(d) of that directive, and that shall be held liable in the event of infringement of the rules on the protection of personal data on account of its decision to have recourse to a social network such as Facebook for the publication of its information offering.

National data protection laws are applicable. Advocate General Bot rejects Facebook’s claim of sole Irish jurisdiction in EU. According to his opinion, when a parent company established outside the European Union, such as Facebook Inc., provides social network services in the territory of the European Union through the intermediary of several establishments and one of those establishments (Facebook Ireland) has been designated by the parent company as the controller of personal data processing in the European Union and the other is responsible for the advertising directed toward residents in Germany (Facebook Germany), the German supervisory authority is entitled to exercise its powers of intervention. See Articles 4(1)(a) and 28(1), (3) and (6), Directive 95/46.

Under Directive 95/46, where a controller has several establishments within the European Union, “neither the place where the data processing is carried out nor the place where the controller has established its head office in the European Union is decisive in identifying the national law which applies to data processing or in entitling a supervisory authority to exercise its powers of intervention”.

However, from 25 May 2018 onwards – with the GDPR – this will change and a one-stop-shop mechanism will be instituted. This means that a controller that carries out cross-border data processing, such as Facebook, will have only one supervisory authority as interlocutor, namely the lead supervisory authority, which will be the authority for the place where the controller’s main establishment is located.

DPA’s have autonomous powers to intervene. Advocate General Bot concludes that Directive 95/46 should be interpreted as meaning that “the supervisory authority of the Member State in which the establishment of the controller is located is entitled to exercise its powers of intervention against that controller autonomously and without being required first to call on the supervisory authority of the Member State in which the controller is located to exercise its powers”. Article 28(1), (3) and (6) of Directive 95/46.

In a second procedure, the Hamburg DPA ordered the Facebook Group to stop combining data from WhatsApp users without their prior consent. See here. On April 25, 2017, the (lower) German Administrative Court confirmed the validity of this order, without deciding on applicable law.

 

See here the common statement by the coordinated contact group of the involved Data Protection Authorities of The Netherlands, France, Spain, Hamburg and Belgium. Click here for an overview of the national resolutions or on the name of each country to see the result of the various national procedures.

 

The opinion of Advocate General Bot delivered on 24 October 2017 in Case C-210/16, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd,Vertreter des Bundesinteresses beim Bundesverwaltungsgericht is available at http://curia.europa.eu…

 

For more information on how the EU data protection regulation may affect your business, contact Francesca Giannoni-Crystal. Thanks to Federica Romanelli.

Follow us on& Like us on