Court of Justice of the European Union: Grand Chamber judgment on the concept of a data controller

IRIS 2018-8:1/5

Svetlana Yakovleva

Institute for Information Law (IViR), University of Amsterdam & De Brauw, Blackstone, Westbroek

On 5 June 2018, the Court of Justice of the European Union (CJEU) delivered a judgment in the case of Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (Case C-210/16). The judgment interprets the notion of a “controller” - one of the key concepts of the European data protection framework - within the context of a relationship between Facebook and the administrator of a fan page created on Facebook's platform. In addition, it clarifies the scope of the enforcement powers of the national data protection authorities in relation to local offices of non-European companies, such as Facebook.

The judgment addressed a request for a preliminary ruling from the Federal Administrative Court of Germany in a dispute between the Independent Data Protection Centre for the Land of Schleswig-Holstein, Germany (“the ULD”) and the Wirtschaftsakademie Schleswig-Holstein GmbH (“the WSH”). The WSH operated a fan page on Facebook in order to provide educational services. The fan page was accessible to individuals, irrespective of whether or not they had an account on Facebook. As the administrator of the fan page, the WSH obtained anonymous statistical information regarding visitors to its fan page, which Facebook collected by placing cookies on users’ devices. Neither Facebook nor the WSH informed users of the storage and functioning of the cookies or the subsequent processing of their personal data.

The key questions that the German court referred to the CJEU were: (1) whether the administrator of a fan page on Facebook qualifies as a personal data controller on a par with Facebook, and is therefore responsible for processing the personal data of fan page visitors; and (2) whether the ULD is competent to exercise enforcement powers against Facebook Germany, which, according to the division of tasks within the group, is not responsible for the processing of personal data.

Referring to its Google Spain judgment (see IRIS 2014-6/3), the CJEU reiterated that the concept of a “controller” should be interpreted broadly in order to ensure the “effective and complete protection” of individuals. The CJEU established that although the administrator of a fan page only receives statistics in anonymised form, it nevertheless contributes to the processing of the personal data of visitors of such a fan page by requesting Facebook to process such personal data and by defining the parameters and criteria for drawing up the statistics. Thus, the administrator of a fan page contributes to determining, jointly with Facebook, the purposes and means of processing visitors’ personal data; such an administrator therefore falls under the definition of “controller” under Data Protection Directive 95/46 (see IRIS 1998-10/4). Although since 25 May 2018 the Directive has been superseded by the General Data Protection Regulation (see IRIS 2018-6/7), this interpretation remains relevant, as the definition of “controller” has remained unchanged.

The CJEU also ruled that although Facebook Germany is only responsible for promoting and selling advertising space in Germany (while all the responsibility for processing personal data within Europe is assigned to Facebook Ireland), the ULD is nevertheless competent to exercise its powers in respect of Facebook Germany without calling on the supervisory authority of Ireland. The Court explained that the processing of the personal data of German visitors to the fan page is intended to improve Facebook’s advertising system - the major source of Facebook's revenue. Therefore, the activities of Facebook Germany must be regarded as “inextricably linked” to the processing of the personal data at issue.


Related articles

IRIS 2018-6:1/7 Council of the EU: General Data Protection Regulation becomes applicable

IRIS 2014-6:1/3 Court of Justice of the European Union: Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos

IRIS 1998-10:1/4 European Union: Data Protection Directive Takes Effect

This article has been published in IRIS Legal Observations of the European Audiovisual Observatory.