It’s as if everyone has their head down preparing for the GDPR. Recent weeks have produced very little by way of judgments in the data protection area. They have, however, produced an Advocate General’s opinion in a case about the data controllers of Facebook fan pages. That opinion is worth noting because (rightly or wrongly) it casts the net very widely, bringing multiple entities within the definition of data controllers.
The case is Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd (Case C-210/16). I think I’ll call it the fan page case. AG Bot’s opinion is here: AG Bot fan page opinion.
In outline:
A German company offering education and training services set up a Facebook fan page that allowed it to obtain viewing statistics via the ‘Facebook Insights’ tool. Basically, Facebook uses cookies to collect personal data about visitors to the company’s page; the company gets anonymous statistical data about visitors to its web page, and it gets Facebook to place targeted advertisements (i.e. adverts tailored to the visitor’s behaviour and interests) on the fan page. Under these arrangements, the German company does not obtain any personal data – only Facebook does.
The problem for the German company was that it failed to alert visitors to its page about all of this, i.e. that Facebook would use cookies to gather personal data about them in order to produce statistics and targeted advertising. The Schleswig-Holstein data protection authority (DPA) ordered the company to deactivate its fan page.
The company challenged that order in the German courts. For one thing, it said: I am not a data controller of any personal data – Facebook is. So a DPA can’t make an order against me – it must make an order against Facebook, and specifically Facebook Ireland.
The German courts agreed that the company was not a data controller, as the controller was Facebook Ireland. It sought the CJEU’s preliminary ruling on (among other things) whether or not a DPA could make an order against a non-controller.
But Advocate General Bot rejected the premise of the question. In his view, this was a “pluralistic”, multi-controller situation: Facebook Ireland was certainly a controller of the personal data relating to visits to the company’s fan page, but Facebook Inc. and the fan page account holder were also data controllers.
AG Bot’s opinion also considers questions about the jurisdiction of a German DPA over Facebook Ireland in such circumstances, but I leave that aside for now, given that (as AG Bot noted) the GDPR will introduce an entirely new jurisdictional regime. It is AG Bot’s wide approach to the concept of a data controller that has caught Panopticon’s eye.
AG Bot noted that the concept needed to be construed broadly, and that this is a matter of substance rather than form (for example, you can’t avoid being a data controller just be using contractual terms that say you’re not one).
In AG Bot’s view, Facebook Inc. was a data controller alongside Facebook Ireland because:
- It designed the processing in question and “developed the general economic model in accordance with which the collection of personal data during visits to fan pages and then the processing of that data enables the publication of personalised advertisements and the compilation of viewing statistics for fan page administrators” (para 48).
- “… Facebook Ireland has been designated by Facebook Inc. as being responsible for the processing of personal data within the European Union” (para 49).
- “… some or all of the personal data of Facebook’s users who reside in the European Union is transferred to servers belonging to Facebook Inc. that are located in the United States, where it undergoes processing” (para 50).
- Therefore, Facebook Inc. was – together with Facebook Ireland – in sufficient control of the manner and purposes of processing. It was one of the data controllers in this “pluralistic” control model.
AG Bot also decided that the fan page account holder was a third controller in this pluralistic model, even though it was first and foremost a user of Facebook tools for obtaining anonymised statistics:
- The account holder did not actually process any personal data, but it did (together with Facebook Ireland and Facebook Inc.) determine the manner and purposes of the processing, because it opted to use these Facebook tools in the first place (paras 56-57). But for that decision, the data would never have been processed. The account holder understood what Facebook would do, and it signed up for these services in order to obtain benefits of its own.
- The account holder also influenced what Facebook did with personal data, for example by setting filters and defining the parameters of website visitors for whom it wished to receive anonymous data (para 58).
- AG Bot also took a purposive approach: if the account holder had done these things using its own website, it would plainly be a controller, so it should not allowed to evade those responsibilities just by using a Facebook tool to do the same work (para 64).
AG Bot’s approach is very bold. For one thing, he has rejected the premise of the question referred to the CJEU in a way that some would regard as straying outside the CJEU’s role (namely, to answer the question, not set a new question). Some may also query whether he strayed beyond legal guidance and into findings of fact about how this pluralistic model operated.
More substantively, however, it remains to be seen whether the Court will take as wide a view as AG Bot of the concept of a data controller. In places, AG Bot’s analysis suggests that anyone who exerts any influence over the processing of personal data – for example by using a product or service that entails such processing – is a controller. If that is what he is saying, then questions abound.
Take for example a company that commissions external market research using focus groups. The company only cares about and only ever receives anonymous data, but personal data was processed to get that data. Is the company therefore a controller of that personal data?
The same goes for the indicia of control AG Bot relies upon to bring Facebook Inc. into the frame. For example, if you develop a tool or “economic model” that others then use for processing personal data, are you a controller in respect of their processing?
If the answer to such questions is yes, even the broad approach apparent from the Google Spain judgment is being stretched to new limits. The boundaries of liability in such “pluralistic” models would be very hard to define.
Panopticon will keep its beady eye out for the CJEU’s judgment to see if it likes AG Bot’s approach.
Robin Hopkins @hopkinsrobin