Facebook advertisers beware: This ruling could change how you use Facebook for marketing
Information law analysis: The EU’s Advocate General Bot recently issued an Opinion regarding the relevant jurisdiction vis-a-vis data processing activities involving Facebook. Dan Whitehead, associate… Read more
Information law analysis: The EU’s Advocate General Bot recently issued an Opinion regarding the relevant jurisdiction vis-a-vis data processing activities involving Facebook. Dan Whitehead, associate at Kemp Little, explains the background to the case and potential implications of the Opinion.
Original news
Opinion of AG Bot regarding data processing activities involving Facebook (Wirtschaftsakademie v ULD Schleswig-Holstein)
Wirtschaftsakademie Schleswig-Holstein GmbH v Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
Case C-210/16; ECLI:EU:C:2017:796
What are the facts and issues in the case?
Wirtschaftsakademie Schleswig-Holstein GmbH is a German company which specialises in providing educational and training services. It set up a ‘fan page’ on Facebook, through entering into a contract with Facebook’s German subsidiary, which was used to market its services. Through subscribing to a fan page account, Facebook made available to the company a supplementary service called ‘Facebook Insights’. Insights uses behaviour tracking cookies that are installed onto a user’s device by Facebook and provide anonymised data on the user’s habits and preferences to the owner of the fan page account.
In November 2011, the data protection authority in the German region of Schleswig-Holstein (the ULD) ordered Wirtschaftsakademie to deactivate its fan page on the basis neither Facebook nor it had informed visitors that their personal data was being collected and used for the Insights service.
Wirtschaftsakademie challenged the decision in the German Administrative Court, which set aside the decision on the basis that the company was not a controller in respect of the personal data collected through the Facebook fan page. The ULD’s case was subsequently dismissed by the Higher Administrative Court of Germany before being brought before the country’s Federal Administrative Court (FAC).
The FAC referred a number of questions to the Court of Justice of the European Union for preliminary ruling. In summary the main issues were:
- Can the ULD take action against a company for infringing Directive 95/46/EC (the Data Protection Directive) on the protection of individuals with regard to the processing of personal data and on the free movement of such data) even if they are not a data controller?
- Is the ULD, as a German regulator, entitled to exercise its powers against Facebook despite the company’s designated data controllers being based in Ireland and the United States?
- If the answer to the second question is in the affirmative, then is the ULD first required to consult with the supervisory authority in the EU Member State which the data controller is located?
What was the Advocate General’s Opinion?
The Advocate General disagreed with the premise of the question relating to the first main issue. It was his opinion that Wirtschaftsakademie was in fact a joint data controller alongside Facebook in respect of Insights data processing, and therefore the company’s actions were governed by the Data Projection Directive.
In explaining his reasoning, the Advocate General stated that Wirtschaftsakademie took the decision to create the fan page of its own volition, therefore triggering the allegedly infringing data processing activities. Moreover, the company could have decided to bring the data processing to an end at any point by closing the page down. Instead Wirtschaftsakademie, through keeping the page live, benefited from the ability to use the Insights tool to enhance its marketing through understanding more about its target audience. In other words, you cannot ask a third party to process data on your behalf and then absolve yourself of all responsibility.
The Opinion takes a broad view of what it means to be a ‘data controller’ and explains that it is not necessary for a controller to have complete control over how data is processed. Instead, due to the ever increasing complexity of relationships between parties who are processing data, it is necessary to acknowledge that there may be a number of controllers involved in a single processing operation. Yet just because the parties are deemed to be joint controllers does not necessarily mean each of them bears equal responsibility for any infringements of the Data Projection Directive. We agree with the reasoning behind the conclusion that has been reached here.
In respect of the second main issue, the Advocate General stated that, in determining whether the ULD was able to exercise its powers against Facebook entities outside of Germany, it was necessary to show that the German regulator was entitled to apply its own national law and that this required two conditions to be met. First, the controller must have an establishment in Germany, and second the processing must be undertaken ‘in the context of the activities’ of that establishment.
It was the Advocate General’s opinion that under Article 4(1)(a) of the Data Projection Directive, an ‘establishment’ should, in accordance with the case of Google Spain SL & Google Inc v Agencia Española de Protección de Datos (AEPD) & Mario Costeja González Case C-131/12, be interpreted broadly to include any company that undertakes any ‘real and effective activity, even a minimal one’ and Facebook Germany was therefore an establishment of Facebook Ireland.
For German member state law to apply, it merely required that the processing be conducted in the ‘context of the activities’ of the establishment. In this case, because Facebook Germany was responsible for the promotion and sale of advertising space in its country, and this activity was reliant on the processing of personal data, its business activities were ‘indissolubly’ linked to those of Facebook Ireland. Therefore, the two-stage test was met, meaning that Facebook is required to comply with German law in respect of its activities on German territory and is subject to the UDG’s powers of enforcement.
Finally, the Advocate General concluded that, as the entity with decisive influence over the processing could be pursued for any alleged infringements of the Data Projection Directive, so it would follow that action could be taken directly against Facebook Ireland. In the Advocate General’s view, the fact that ULD may exercise its powers of intervention against Facebook Inc and Facebook Ireland in no way would prevent it from also taking measures against the Wirtschaftsakademie.
On the third main issue, the Advocate General argued that on the facts of this case, including because in this case the applicable law is that of the Member State of the supervisory authority that wishes to exercise its powers of intervention, that Article 28(6) of the Data Protection Directive should be interpreted such that the ULD is entitled to exercise its powers of intervention against Facebook Ireland with complete independence and without being required first to call on the Irish supervisory authority.
What are the implications for Wirtschaftsakademie, and other companies who use Facebook for advertising?
At present, this is only the Opinion of the Advocate General and is not in itself legally binding. However, if the Court of Justice agrees with the Opinion, then the German courts may rule that the lower courts were wrong in setting aside the UDG’s original order. This could result in Wirtschaftsakademie being forced to take down its fan page.
Equally, the potential implications of this Opinion on other EU companies who advertise through Facebook are considerable. The UDG and other supervisory authorities across the EU may use any equivalent Court of Justice ruling as authority for taking action against such companies on the basis that they are data controllers who are infringing data protection laws. The risk of this happening, along with the potential for higher fines under the General Data Protection Regulation, (EU) 2016/679 (GDPR), may force advertisers to be more cautious in their use of Facebook, and other social media platforms, and put pressure on these companies into providing greater assurances about the legality of their data processing techniques.
To what extent will controllers based in one Member State now be expected to comply with the laws of other Member States?
Even if the Court of Justice follows this Opinion, there are two primary reasons why it is unlikely to have a substantial effect on controllers at this time. Firstly, the right for the UDG to exercise its powers across Member State borders follows from the 2015 Weltimmo s.r.o v Nemzeti Adatvédelmi és Információszabadság Hatóság Case C-230/14 judgment. This case involved a question of whether the Hungarian supervisory authority was entitled to impose a fine on a service provider that was domiciled in Austria. The court used the same two-stage test outlined above to establish whether the law of Hungary applied to the Austrian company’s data processing, and found that it did; therefore confirming the right of a supervisory authority to fine a company across Member State borders.
Secondly, when the GDPR takes effect on 25 May 2018, it introduces a new ‘one-stop-shop’ mechanism which will override the rulings made in this case and Weltimmo. Under one-stop-shop, where there is cross-border processing involved, the controller will be subject to the jurisdiction of a single lead supervisory authority whose identity will be determined by the country in which the ‘main establishment’ of the controller is based. Applying these new rules to this case would most likely mean that the Irish supervisory authority would be the lead supervisory authority, and the UDG’s role would be limited to cooperating with them as outlined under Article 60 of the GDPR.
This article was first published on Lexis®PSL 8 November 2017. Lexis®PSL.
Share this blog
- Adtech & martech
- Agile
- Artificial intelligence
- EBA outsourcing
- Brexit
- Cloud computing
- Complex & sensitive investigations
- Connectivity
- Cryptocurrencies & blockchain
- Cybersecurity
- Data analytics & big data
- Data breaches
- Data rights
- Digital commerce
- Digital content risk
- Digital health
- Digital media
- Digital infrastructure & telecoms
- Emerging businesses
- Financial services
- Fintech
- Gambling
- GDPR
- KLick DPO
- KLick Trade Mark
- Open banking
- Retail
- SMCR
- Software & services
- Sourcing
- Travel