Facebook Germany case, social media and digital advertising
Information Law analysis: How far can organisations legally go with promotions and advertising through social media platforms? Dan Whitehead, senior associate at Kemp Little, considers… Read more
Information Law analysis: How far can organisations legally go with promotions and advertising through social media platforms? Dan Whitehead, senior associate at Kemp Little, considers the implications of ULD v Wirtschaftsakademie Schleswig-Holstein GmbH, which concerned the use of social media to undertake targeted digital advertising.
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH Case C-210/16,  All ER (D) 56 (Jun)
What are the main implications of this case?
This recent data protection decision made by the Court of Justice could have a significant impact on the risk profile of organisations looking to make use of social media and other technology platforms, such as Facebook, to undertake targeted digital advertising campaigns. The case also gives rise to some interesting questions about the ability of data protection regulators based in different Member States to take enforcement action against multinational companies with multiple establishments across the EU.
Potentially the most significant implication of this ruling is on how promotions and advertising through social media platforms may change as a result. The use of Facebook fan pages is prevalent across many sectors, including private, public and charitable organisations, many of whom may have previously considered the regulatory risks of online advertising to be relatively low, partly as it was felt not to be their responsibility (although this perception has also shifted somewhat in light of the General Data Protection Regulation (EU) 2016/679, (GDPR) and the revised definition of consent).
This decision means that advertisers will need to be much more wary of the data protection risks associated with using Facebook and other technology platforms who process personal data on their behalf for marketing purposes, now they are regarded as jointly responsible for these activities.
Nonetheless, it appears unlikely that there will be any immediate and sudden change to how organisations make use of these technology providers. According to a recent article published in the Financial Times, Facebook and Google were forecast to account for 84% of global spending on digital advertising across the globe (excluding China) in 2017. The reliance that companies have on these platforms for marketing means that they are unlikely to move away from using them as a consequence of this judgment.
It appears more likely that change will be driven by supervisory authorities within EU Member States taking regulatory enforcement action against technology platforms and the organisations who use their services over the coming years, resulting in a gradual evolution in behaviours.
What are the facts of this case and what did the court decide?
Wirtschaftsakademie Schleswig-Holstein GmbH is a German company which specialises in the provision of educational and training services. This case centres around a ‘fan page’ that the company created on Facebook. Fan pages are commonly used by many organisations, including the majority of large multinational companies, for brand and product promotion. Facebook users, along with other visitors to the site who are not registered with the social media platform, can visit the page, like it and comment on its posts.
Administrators of the page are able to create paid-for adverts, which are then promoted by Facebook. These adverts may be targeted to specific audiences, based on certain characteristics such as age group, gender and geographical location. Facebook also makes available to administrators a tool called ‘Facebook Insights’ which publishes certain anonymous statistical information about the visitors to the fan page. The information is collected through cookies which are installed on the user’s electronic device when they visit the page.
The ULD, as the supervisory authority for Schleswig-Holstein (a territory within Germany), ordered Wirtschaftsakademie to deactivate the fan page or face a regulatory fine if it failed to do so. This decision was made on the basis that neither Wirtschaftsakademie nor Facebook Germany (the Facebook subsidiary responsible for hosting the page) had informed visitors to the page that personal data would be collected about them through cookies.
Wirtschaftsakademie brought a complaint against the ULD, claiming that it was not responsible for the processing of the data by Facebook under the EU’s Data Protection Directive 95/46/EC, nor the German implementation of the Directive (the Bundesdatenschutzgesetz or ‘BDSG’), both of which remained in effect at the time the case was brought.
The complaint was dismissed by the ULD, but then progressed through the German courts up to the Bundesverwaltungsgericht (Federal Administrative Court), which decided to stay the proceedings and refer a number of questions to the European Court of Justice for a preliminary ruling.
The questions put before the Court of Justice can essentially be summarised as follows:
- Whether an entity, in its capacity as an administrator of a fan page on a social network, can be held liable for the alleged data protection infringements of that social network because it has chosen that network to distribute its marketing and promotional content. This can ultimately be construed as a question concerning whether Wirtschaftsakademie is considered to be a con-troller under the Data Protection Directive 95/46/EC.
- Where an undertaking that is established outside of the EU (ie Facebook, Inc) has several establishments in different Member States, is a supervisory authority (ie the ULD) entitled to bring enforcement action under the Data Protection Directive against an establishment based in its own jurisdiction (ie Facebook Germany), even if that establishment is only responsible for the sale of advertising space and marketing activities, and particularly where exclusive responsibility for collecting and processing the relevant personal data belongs to another establishment in a different Member State (in this case, Facebook Ireland)?
- Can a supervisory authority (ie the ULD) exercise its powers under the Data Protection Directive against an establishment based within its own territory (ie Facebook Germany) for infringements of data protection law committed by a connected establishment based in another Member State (ie Facebook Ireland) without first calling on the supervisory authority of that other Member State (ie the Irish supervisory authority) to intervene?
In respect to question 1, the Court of Justice determined Wirtschaftsakademie to be a joint controller with Facebook in respect of the visitor data processed in relation to the fan page. In making this decision, the court emphasised the importance of interpreting the definition of a ‘controller’ broadly, and the circumstances in which two or more parties can be considered to be joint controllers. Although Facebook Ireland was the primary party responsible for determining how the page visitors’ data was processed, being a joint controller does not mean that the parties must have equal responsibility.
It was sufficient that Wirtschaftsakademie decided to create a fan page on the Facebook platform, thus giving Facebook the opportunity to place cookies on the visitor’s device, whether or not that person had a Facebook account. As a joint controller Wirtschaftsakademie could be held liable under the Data Protection Directive for the processing activities performed by Facebook.
The admissibility of question 2 was challenged by the ULD on the basis that the proceedings related to a company (Wirtschaftsakademie) established in Germany that is subject to the ULD’s jurisdiction. Neither Facebook Germany or Facebook Ireland were currently subject to any enforcement action from the supervisory authority for the alleged infringements. The Court of Justice dismissed this challenge, stating that it was for the German courts to determine what is relevant and, in any event, the question is relevant to deter-mining whether the ULD could and should take action against Facebook Germany for the alleged infringe-ments.
In response to question 2, the Court of Justice restated that it is for a supervisory authority to exercise its powers under the Data Protection Directive where the national law of its Member State applies. When determining this, the court outlined two tests which must be considered:
- is there an establishment of Facebook in Germany for the purposes of the Data Protection Directive? and
- was the processing carried out in the context of Facebook Germany’s activities?
In respect of both tests, the Court of Justice ruled in the affirmative. Firstly, referring to Weltimmo sro v Nemzeti Adatvédelmi és Információszabadság Hatóság Case C-230/14,  All ER (D) 32 (Oct), and recital 19 of the Data Protection Directive, it stated that an establishment is based within a territory of a Member State if that establishment undertakes the effective and real exercise of activity through stable arrangements. Facebook Germany was held to be an establishment for this purpose, as it ‘effectively and genuinely exercises activities in that Member State’.
With regards to the second test, the Court of Justice referred to the Weltimmo decision, which stated that processing carried out in the context of an establishment’s activities cannot be interpreted restrictively. Equally, in accordance with the judgment in Google Spain SL and another v Agencia Española de Protección de Datos (AEPD) and another Case C-131/12,  All ER (EC) 717, the establishment does not need to be the entity that is actually undertaking the processing. Facebook Germany was deemed responsible for promoting and selling advertising space in Germany, which was an activity directly relating to the infringements that the ULD had accused Wirtschaftsakademie of commiting. It was therefore deemed that the processing was carried out in the context of Facebook Germany’s activities and that the UCD was competent to exercise its enforcement powers against Facebook Germany.
The Court of Justice’s response to question 3 was straightforward. It held that the UCD, as the supervisory authority in Germany, was permitted to exercise its powers to uphold national law without being obliged to refer to or adopt the conclusion reached by another supervisory authority such as the Irish authority. The UCD was in fact entitled to independently assess the lawfulness of the processing by Wirtschaftsakademie and Facebook Germany.
What are the implications regarding the interpretation of ‘controller’, ‘establishment’ and the scope of authority of supervisory authorities under the GDPR regime?
The potential implications of enforcement action being taken against advertisers and technology companies are heightened by the GDPR taking effect from 25 May 2018. Although this particular case involved alleged infringements of the now repealed Data Protection Directive, the same principles outlined here on the interpretation of what it means to be a joint controller are still likely to be authoritative. Note the definition of controller under GDPR is very similar to that under the Directive.
The infringement itself was brought on the basis of both Facebook and Wirtschaftakademie failing to ade-quately notify visitors to the fan page that cookies would be installed on their device, and the purposes for which they were installed. It may be that these infringements have been remediated by Facebook since this case was brought, particularly in light of the newly strengthened transparency requirements which have come into effect under the GDPR.
With regards to the ruling on the interpretation of what it means to be an establishment, and the powers of supervisory authorities to enforce their national laws, the relevance of this case is less clear.
The GDPR introduces a new concept of a lead supervisory authority. The lead supervisory authority has primary responsibility for the enforcement of the GDPR against organisations that are involved in the ‘cross-border processing of personal data’. Cross-border processing includes processing which takes place ‘in the context of the activities of establishments in more than one Member State’. Applying the facts of this case, it seems likely that Facebook Ireland and Facebook Germany would be deemed to be undertaking cross-border processing.
The lead supervisory authority is determined with reference to where the controller has its ‘main establishment’, which is first of all deemed to be the place in which the controller has its ‘central administration’ in the EU. This would arguably be Facebook Ireland, which would hypothetically make the Irish supervisory authority the lead for any infringements committed by Facebook Germany.
A mechanism has been outlined in Articles 56 and 60–62 of the GDPR for what would happen in these circumstances. In theory, unless the UCD could show that the infringements in this case either related solely to an establishment in its Member State (eg Facebook Germany) or substantially affects data subjects only in its Member State, then it would not have any right to act on the infringement. Moreover, given the global nature of Facebook’s digital advertising practices, it may be difficult for the UCD to demonstrate that either of these conditions have been met in these circumstances. Having said that, focusing on Wirtschaftsakademie and its target audience, as opposed to fan pages generally, it would still be Germany, which may allow a local supervisory authority more influence.
Given that the GDPR remains in its infancy, the law in this area has yet to be put into practice, and it is therefore only likely to become clear what impact this ruling and the changes brought about under the GDPR may have once we see the first multi-jurisdictional enforcement actions being taken.
Article originally published in LexisNexis