How do I know if I am a data controller? In particular, how do data controller responsibilities work when it comes to cookies operating on my website (especially for targeted advertising purposes)? The GDPR has not invented these questions, but it has injected them with urgency and sharpness. The CJEU’s judgment in the ‘Facebook Fan Page’ case, handed down this morning, is a very significant contribution on increasingly important issues of this kind.
The case is Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd (Case C-210/16). The case is not just about the ‘data controller’ issue. It is also about the jurisdiction of data protection regulators in respect of cross-border or multinational processing activities. That issue is hugely important under the GDPR, with its ‘one-stop shop’ aspiration embodied in its provisions governing lead supervisory authorities. I’ll come back to that issue in a second post, and focus here on the data controller issue.
First, some background to the case, which I take from my post on Advocate General Bot’s Opinion, given in November 2017:
A German company offering education and training services set up a Facebook fan page that allowed it to obtain viewing statistics via the ‘Facebook Insights’ tool. Basically, Facebook uses cookies to collect personal data about visitors to the company’s page; the company gets anonymous statistical data about visitors to its web page, and it gets Facebook to place targeted advertisements (i.e. adverts tailored to the visitor’s behaviour and interests) on the fan page. Under these arrangements, the German company does not obtain any personal data – only Facebook does.
The problem for the German company was that it failed to alert visitors to its page about all of this, i.e. that Facebook would use cookies to gather personal data about them in order to produce statistics and targeted advertising. The Schleswig-Holstein data protection authority (DPA) ordered the company to deactivate its fan page.
The company challenged that order in the German courts. For one thing, it said: ‘I am not a data controller of any personal data – Facebook is. So a DPA can’t make an order against me – it must make an order against Facebook, and specifically Facebook Ireland’.
The German courts agreed that the company was not a data controller, as the controller was Facebook Ireland. It sought the CJEU’s preliminary ruling on (among other things) whether or not a DPA could make an order against a non-controller.
But Advocate General Bot rejected the premise of the question. In his view, this was a “pluralistic”, multi-controller situation: Facebook Ireland was certainly a controller of the personal data relating to visits to the company’s fan page, but the fan page account holder was also a data controller – and so, for that matter, was Facebook Inc.
In its judgment given today, the CJEU has agreed with Advocate General Bot’s broad approach and his conclusions about the identification of the data controllers.
Who are the data controllers?
There was no argument about whether or not Facebook Inc. being a data controller. That issue was left to one side, with no apparent challenge to Advocate General Bot’s view.
The live issue was whether the company using the Facebook fan page service was a controller, particularly bearing in mind that it never actually obtained or had any access to any personal data obtained via Facebook’s cookies. The CJEU’s answer in a nutshell was this (para 35; my emphasis):
“While the mere fact of making use of a social network such as Facebook does not make a Facebook user a controller jointly responsible for the processing of personal data by that network, it must be stated, on the other hand, that the administrator of a fan page hosted on Facebook, by creating such a page, gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account.”
Why does that – i.e. giving Facebook a chance to place cookies – make the fan page holder a controller? The CJEU fleshes out its reasoning at para 36 (my emphasis again):
“… the creation of a fan page on Facebook involves the definition of parameters by the administrator, depending inter alia on the target audience and the objectives of managing and promoting its activities, which has an influence on the processing of personal data for the purpose of producing statistics based on visits to the fan page. The administrator may, with the help of filters made available by Facebook, define the criteria in accordance with which the statistics are to be drawn up and even designate the categories of persons whose personal data is to be made use of by Facebook. Consequently, the administrator of a fan page hosted on Facebook contributes to the processing of the personal data of visitors to its page.”
So, the fan page holder was a controller because it set processing parameters that influenced or contributed to the purposes and manner of Facebook’s processing.
The CJEU also highlighted the sensitivity of much of the data in terms of its privacy impact, as well as the ultimate purposes, i.e. targeted advertising. See para 37:
“In particular, the administrator of the fan page can ask for — and thereby request the processing of — demographic data relating to its target audience, including trends in terms of age, sex, relationship and occupation, information on the lifestyles and centres of interest of the target audience and information on the purchases and online purchasing habits of visitors to its page, the categories of goods and services that appeal the most, and geographical data which tell the fan page administrator where to make special offers and where to organise events, and more generally enable it to target best the information it offers.”
In any event, the fact that the fan page holder had no access to the personal data Facebook obtained did not preclude it from being a data controller (para 38). The definition of ‘data controller’ in Directive 95/46/EC does not talk about access to personal data.
If I am a data controller, am I on the hook for everything to do with this personal data?
No. See para 43:
“… the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.”
Thanks, I hear you groan. “All the relevant circumstances of the particular case” – what does that mean for me? I think it urges us to hone in on the specific processing operations at work in a complex activity like the cookie-based analytics involved in this case, and then to ascertain which controller has responsibilities for each operation. There may, for example, be some parts of the processing chain where Facebook must shoulder the controller’s duties, some where the fan page user does so, and some where both do so. That seems to be the sort of thing the CJEU is getting at.
How did the use of cookies affect the analysis here?
Under the GDPR, cookies get no special treatment of their own. They are, however, omnipresent tools for obtaining and processing personal data online. The CJEU described the reach of Facebook’s cookies, in terms of where they appear (and for how long they operate), as well as who uses the data obtained. See para 33:
“… the data processing at issue in the main proceedings is essentially carried out by Facebook placing cookies on the computer or other device of persons visiting the fan page, whose purpose is to store information on the browsers, those cookies remaining active for two years if not deleted. It also appears that in practice Facebook receives, registers and processes the information stored in the cookies in particular when a person visits ‘the Facebook services, services provided by other members of the Facebook family of companies, and services provided by other companies that use the Facebook services’. Moreover, other entities such as Facebook partners or even third parties ‘may use cookies on the Facebook services to provide services [directly to that social network] and the businesses that advertise on Facebook’.”
The CJEU also highlighted the sensitivity of the data obtained for the purposes of targeted advertising (see para 37, above). It also appeared to be concerned by the fact that some visitors to the fan page will have no relationship of their own with Facebook, but find their personal data drawn into Facebook’s processing operations when they visit the fan page. See para 41:
“It must be emphasised, moreover, that fan pages hosted on Facebook can also be visited by persons who are not Facebook users and so do not have a user account on that social network. In that case, the fan page administrator’s responsibility for the processing of the personal data of those persons appears to be even greater, as the mere consultation of the home page by visitors automatically starts the processing of their personal data.”
This appears to underscore the importance of privacy notices explaining things – including the operation of cookies – to visitors. This litigation, after all, was sparked by a regulatory finding that the fan page holder failed to have a privacy notice in place.
Jurisprudence on pivotal concepts like ‘data controllers’ will of course evolve as the GDPR beds in. This judgment is, however, essential reading for now, both on the ambit of the term ‘data controller’, and also on how data protection considerations apply to the use of cookies, particularly in the context of targeted advertising.
I will return to the regulatory jurisdictional issue in another post.
Robin Hopkins @hopkinsrobin