Data Privacy HubA LINK TO THE FULL JUDGEMENT CAN BE FOUND HERE
The case arose around a dispute between the data protection authority of Schleswig Holstein (Unabhängiges Landeszentrum für Datenschutz Schleswig Holstein, ULD) and the Wirtschaftsakademie Schleswig-Holstein GmbH (Wirtschaftsakademie), a private-law company operating in the field of education. The ULD ordered Wirtschaftsakademie to deactivate its fan page on Facebook, on the grounds that neither Wirtschaftsakademie nor Facebook notified visitors that a cookie was dropped on their devices, nor that this data would subsequently be processed, during the time when the case was ongoing.
Wirtschaftsakademie then issued a complaint against the decision arguing that it is not the responsible entity (i.e. ‘controller’) for the processing of the data by Facebook, or the cookies which were placed by Facebook. The ULD dismissed this complaint and argued that using Facebook to host its fan page meant that it made an active and deliberate contribution to the collection by Facebook of personal data, relating to visitors to the fan page, and that Wirtschaftsakademie profited from this by means of the anonymous statistics Facebook provided to it.
This kicked off the legal battle in the German administrative judicial system – with Wirtschaftsakademie bringing an action against the ULD in the Administrative Court – which ruled in its favour. The ULD appealed until the case reached the highest instance. The Federal Administrative Court then stayed proceedings and referred the case to the CJEU for a preliminary ruling to understand, inter alia, what the term ‘controller’ should be interpreted as.
The CJEU looked at several aspects of the relationship between Wirtschaftsakademie and Facebook - the goal was to determine whether they are able to decide on the means and purposes of data processing by choosing to put their fan page on Facebook, as opposed to other solutions. In this regard, the CJEU stated that the term ‘controller’ must be interpreted broadly in order to ensure the goals of data protection law can be adequately met.
While the CJEU found that the Wirtschaftsakademie wasn’t able to exercise any influence over the terms of their contractual relationship with Facebook, it did argue that the choice of creating a fan-page on Facebook provides an opportunity for the latter to collect personal data of Wirtschaftsakademie’s followers, by leading potential non-Facebook users to the site and allowing Facebook to place a cookie on their devices.
Furthermore, as the administrator of the page, the Wirtschaftsakademie was able to use Facebook’s filters to see usage statistics for categories of visitors to the page. The CJEU considered that the use of those filters again creates a reason for Facebook to collect personal data about visitors in order to enable this categorisation for the feature which Wirtschaftsakademie uses. Even though the information presented through these filters is not personal data, they allow Wirtschaftsakademie to target users based on their age, gender, relationship status and other categories - i.e. by promoting certain articles to specific segments of their user base.
These findings, combined with the CJEU’s insistence that the term ‘controller’ has to be interpreted broadly, meant that Wirtschaftsakademie must be considered a joint controller with Facebook, as they do have a part to play in the means and purposes of processing personal data. A key factor in this finding is that non-Facebook users could be brought to the Facebook fan-page of Wirtschaftsakademie, which may otherwise not have been within Facebook’s sphere of influence.
The judgment could be used to make a strong argument that targeted advertising implies joint controllership of advertisers with the platforms or other ad tech providers which help them target their ads to users. Following the CJEU’s logic, if an advertiser uses any service which collects data about users in order to target advertising to them, the advertiser makes a contribution to the processing of personal data because they make use of the tool for which the data was collected.
In general, the judgment also makes two important points for an ecosystem which is so interconnected; first, that the concept of a ‘controller’ will be defined very broadly by the CJEU in order to ensure a high level of protection for personal data, and secondly that joint controllership does not imply equal controllership.
The first point implies broad application of ‘controllership’ – using the argumentation that the CJEU employs here, it may be possible to define many organisations as joint controllers, and this judgment might have ‘opened the floodgates’ to many far-reaching interpretations of the definition. However, the second point may serve as a safeguard to that wide interpretation, to establish that joint controllers may still be able to limit their individual responsibility by choosing to interact very carefully with its other joint controllers.
