• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

Facebook advertisers beware: This ruling could change how you use Facebook for marketing

Information law analysis: The EU’s Advocate General Bot recently issued an Opinion regarding the relevant jurisdiction vis-a-vis data processing activities involving Facebook. Dan Whitehead, associate at Kemp Little, explains the background to the case and potential implications of the Opinion.

Original news

Opinion of AG Bot regarding data processing activities involving Facebook (Wirtschaftsakademie v ULD Schleswig-Holstein)

Wirtschaftsakademie Schleswig-Holstein GmbH v Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
Case C-210/16; ECLI:EU:C:2017:796

What are the facts and issues in the case?

Wirtschaftsakademie Schleswig-Holstein GmbH is a German company which specialises in providing educational and training services. It set up a ‘fan page’ on Facebook, through entering into a contract with Facebook’s German subsidiary, which was used to market its services. Through subscribing to a fan page account, Facebook made available to the company a supplementary service called ‘Facebook Insights’. Insights uses behaviour tracking cookies that are installed onto a user’s device by Facebook and provide anonymised data on the user’s habits and preferences to the owner of the fan page account.

In November 2011, the data protection authority in the German region of Schleswig-Holstein (the ULD) ordered Wirtschaftsakademie to deactivate its fan page on the basis neither Facebook nor it had informed visitors that their personal data was being collected and used for the Insights service.

Wirtschaftsakademie challenged the decision in the German Administrative Court, which set aside the decision on the basis that the company was not a controller in respect of the personal data collected through the Facebook fan page. The ULD’s case was subsequently dismissed by the Higher Administrative Court of Germany before being brought before the country’s Federal Administrative Court (FAC).

The FAC referred a number of questions to the Court of Justice of the European Union for preliminary ruling. In summary the main issues were:

  •  Can the ULD take action against a company for infringing Directive 95/46/EC (the Data Protection Directive) on the protection of individuals with regard to the processing of personal data and on the free movement of such data) even if they are not a data controller?
  • Is the ULD, as a German regulator, entitled to exercise its powers against Facebook despite the company’s designated data controllers being based in Ireland and the United States?
  •  If the answer to the second question is in the affirmative, then is the ULD first required to consult with the supervisory authority in the EU Member State which the data controller is located?

What was the Advocate General’s Opinion?

The Advocate General disagreed with the premise of the question relating to the first main issue. It was his opinion that Wirtschaftsakademie was in fact a joint data controller alongside Facebook in respect of Insights data processing, and therefore the company’s actions were governed by the Data Projection Directive.

In explaining his reasoning, the Advocate General stated that Wirtschaftsakademie took the decision to create the fan page of its own volition, therefore triggering the allegedly infringing data processing activities. Moreover, the company could have decided to bring the data processing to an end at any point by closing the page down. Instead Wirtschaftsakademie, through keeping the page live, benefited from the ability to use the Insights tool to enhance its marketing through understanding more about its target audience. In other words, you cannot ask a third party to process data on your behalf and then absolve yourself of all responsibility.

The Opinion takes a broad view of what it means to be a ‘data controller’ and explains that it is not necessary for a controller to have complete control over how data is processed. Instead, due to the ever increasing complexity of relationships between parties who are processing data, it is necessary to acknowledge that there may be a number of controllers involved in a single processing operation. Yet just because the parties are deemed to be joint controllers does not necessarily mean each of them bears equal responsibility for any infringements of the Data Projection Directive. We agree with the reasoning behind the conclusion that has been reached here.

In respect of the second main issue, the Advocate General stated that, in determining whether the ULD was able to exercise its powers against Facebook entities outside of Germany, it was necessary to show that the German regulator was entitled to apply its own national law and that this required two conditions to be met. First, the controller must have an establishment in Germany, and second the processing must be undertaken ‘in the context of the activities’ of that establishment.

It was the Advocate General’s opinion that under Article 4(1)(a) of the Data Projection Directive, an ‘establishment’ should, in accordance with the case of Google Spain SL & Google Inc v Agencia Española de Protección de Datos (AEPD) & Mario Costeja González Case C-131/12, be interpreted broadly to include any company that undertakes any ‘real and effective activity, even a minimal one’ and Facebook Germany was therefore an establishment of Facebook Ireland.

For German member state law to apply, it merely required that the processing be conducted in the ‘context of the activities’ of the establishment. In this case, because Facebook Germany was responsible for the promotion and sale of advertising space in its country, and this activity was reliant on the processing of personal data, its business activities were ‘indissolubly’ linked to those of Facebook Ireland. Therefore, the two-stage test was met, meaning that Facebook is required to comply with German law in respect of its activities on German territory and is subject to the UDG’s powers of enforcement.

Finally, the Advocate General concluded that, as the entity with decisive influence over the processing could be pursued for any alleged infringements of the Data Projection Directive, so it would follow that action could be taken directly against Facebook Ireland. In the Advocate General’s view, the fact that ULD may exercise its powers of intervention against Facebook Inc and Facebook Ireland in no way would prevent it from also taking measures against the Wirtschaftsakademie.

On the third main issue, the Advocate General argued that on the facts of this case, including because in this case the applicable law is that of the Member State of the supervisory authority that wishes to exercise its powers of intervention, that Article 28(6) of the Data Protection Directive should be interpreted such that the ULD is entitled to exercise its powers of intervention against Facebook Ireland with complete independence and without being required first to call on the Irish supervisory authority.

What are the implications for Wirtschaftsakademie, and other companies who use Facebook for advertising?

At present, this is only the Opinion of the Advocate General and is not in itself legally binding. However, if the Court of Justice agrees with the Opinion, then the German courts may rule that the lower courts were wrong in setting aside the UDG’s original order. This could result in Wirtschaftsakademie being forced to take down its fan page.

Equally, the potential implications of this Opinion on other EU companies who advertise through Facebook are considerable. The UDG and other supervisory authorities across the EU may use any equivalent Court of Justice ruling as authority for taking action against such companies on the basis that they are data controllers who are infringing data protection laws. The risk of this happening, along with the potential for higher fines under the General Data Protection Regulation, (EU) 2016/679 (GDPR), may force advertisers to be more cautious in their use of Facebook, and other social media platforms, and put pressure on these companies into providing greater assurances about the legality of their data processing techniques.

To what extent will controllers based in one Member State now be expected to comply with the laws of other Member States?

Even if the Court of Justice follows this Opinion, there are two primary reasons why it is unlikely to have a substantial effect on controllers at this time. Firstly, the right for the UDG to exercise its powers across Member State borders follows from the 2015 Weltimmo s.r.o v Nemzeti Adatvédelmi és Információszabadság Hatóság Case C-230/14 judgment. This case involved a question of whether the Hungarian supervisory authority was entitled to impose a fine on a service provider that was domiciled in Austria. The court used the same two-stage test outlined above to establish whether the law of Hungary applied to the Austrian company’s data processing, and found that it did; therefore confirming the right of a supervisory authority to fine a company across Member State borders.

Secondly, when the GDPR takes effect on 25 May 2018, it introduces a new ‘one-stop-shop’ mechanism which will override the rulings made in this case and Weltimmo. Under one-stop-shop, where there is cross-border processing involved, the controller will be subject to the jurisdiction of a single lead supervisory authority whose identity will be determined by the country in which the ‘main establishment’ of the controller is based. Applying these new rules to this case would most likely mean that the Irish supervisory authority would be the lead supervisory authority, and the UDG’s role would be limited to cooperating with them as outlined under Article 60 of the GDPR.

This article was first published on Lexis®PSL 8 November 2017. Click for a free trial of Lexis®PSL.

Contact our experts for further advice

Dan Whitehead