November 13, 2017

The defendant, Wirtschaftsakademie Schleswig-Holstein GmbH, provides education and training services via a fan page hosted on Facebook by Facebook Ireland. The claimant, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD) is a German regional data-protection authority.

To set up a fan page, the fan page administrator must first register with Facebook. It can then use the Facebook platform to present itself to users of the social network and to post information.

Facebook uses “web tracking” software to observe and analyse the behaviour of internet users for commercial and marketing purposes. Facebook applied this software to all visitors of Wirtschaftsakademie’s fan page.

In November 2011, ULD ordered Wirtschaftsakademie to deactivate its Facebook fan page on the ground that neither Wirtschaftsakademie nor Facebook had informed visitors to the fan page that Facebook was collecting their personal data with the aid of cookies and was then processing that data. Wirtschaftsakademie challenged that decision, arguing that it was not responsible for the data processing carried out by Facebook or for the cookies that Facebook had installed.

ULD dismissed Wirtschaftsakademie’s objection, so Wirtschaftsakademie applied to the German courts. The court set aside ULD’s decision, finding that the administrator of a Facebook fan page is not a “controller”. ULD appealed and the matter eventually reached the Federal Administrative Court, which has asked the CJEU various questions. First, it has asked whether, under the Directive, data protection authorities can exercise their powers of intervention against a body that is not a “controller” under Article 2(d), but which might nevertheless be held liable in the event of infringement on account of it using a social network, such as Facebook, to promote its business.

Advocate General Bot opined that the question rests on the premise that Wirtschaftsakademie is not a “controller” within the meaning of Article 2(d). However, he considered that premise to be incorrect. In his opinion, Wirtschaftsakademie is jointly responsible for the data processing that comprises the collection by Facebook of personal data. In other words, the administrator of a fan page on Facebook is, together with Facebook, a controller of the processing of personal data that is carried out for the purpose of compiling viewing statistics for that fan page.

The German court has also asked whether a data protection authority is entitled to exercise its powers of intervention in the situation where a parent company established outside the EU (i.e. Facebook Inc) is providing services within the EU via subsidiaries, in order to stop the personal data processing at issue and, secondly, against which establishment such powers can be exercised. The AG noted that Facebook Ireland, is designated by Facebook Inc as the controller of personal data processing in the EU and Facebook Germany is responsible for the promotion and sale of advertising space and other marketing measures directed toward residents in Germany.

The AG opined that Article 4(1)(a) of the Directive should be interpreted to mean that personal data processing, such as in this case, occurs when it is carried out in the context of the activities of the controller’s company (i.e. Facebook Ireland) in the territory of a Member State in which that company has set up a subsidiary (i.e. Facebook Germany) that is intended to promote and sell advertising space offered by that undertaking and which directs its activities toward residents in that Member State.

Further, the AG said, where the national law that applies to the processing of personal data in question is that of the Member State to which a supervisory authority belongs, Article 28(1), (3) and (6) should be interpreted to mean that that supervisory authority may exercise all the effective powers of intervention conferred on it against the controller, including where that controller is established in another Member State or even in a third country. (C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (Advocate General Opinion) (24 October 2017) — to read the Opinion in full, go to the curia search form, type in the case number and follow the link).