On 5 June 2018 the EU Court of Justice (ECJ) released a decision in the case of Wirtschaftsakademie Schleswig Holstein (case no C‑210/16). The decision deals mainly with the issue of “joint responsibility” in social media networks. The court found that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data of visitors to the page.
What are the key implications of the ruling, and what is next?
The ECJ’s ruling is based on an action brought by the Wirtschaftsakademie Schleswig-Holstein (a training academy) against the data protection authority of the state of Schleswig Holstein (the ULD). In 2011, the ULD had ordered the Wirtschaftsakademie to deactivate its Facebook fan page because, according to the ULD, visitor data could be collected by Facebook via a cookie on the fan page without the visitors being informed. Wirtschaftsakademie sought legal protection against this order, arguing that it was not responsible for the data processing by Facebook. The Federal Administrative Court of Germany referred the case to the ECJ.
Essence of the ruling
In its ruling the ECJ finds that an administrator such as Wirtschaftsakademie must be regarded as a controller jointly responsible with Facebook for the processing of the data. The most important statements of the court are:
The court strictly limited itself to an assessment of the applicable case, and only applied the (now outdated) Data Protection Directive. The Directive already mentioned that controllers can “jointly determine the purposes and means of processing”, but did not comprise the detailed regulations on “Joint Control” that are now laid down in Article 26 GDPR. Consequently, the decision is quite open to interpretation and it remains unclear what exactly this decision means for the application of the GDPR.
However, the decision at least allows a first glimpse at how the ECJ will possibly interpret the concept of “joint control” under the GDPR. Most of the commentators, including the German data protection authorities, seem to interpret the ECJ’s ruling in a way that the ECJ’s concept of being “jointly responsible” is equivalent to the concept of “joint controllership” as laid down in Article 26 GDPR. Seen from this angle, the door is now open for a broader interpretation of the term “Joint Control”.
It is noteworthy, however, that a different interpretation of the ruling is possible, if not obvious. As said, the ECJ’s explanation of “joint responsibility” is followed by the clarification that the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. It remains an open question how this statement is to be seen in conjunction with the provisions of the GDPR.
Both of these concepts are new to the GDPR compared to the Directive that was subject to the Court´s decision. But when the Court says that joint responsibility does not necessarily imply equal responsibility, this at least indicates that, when discussing “responsibility”, the ECJ did not speak of “joint control” in the meaning of Articles 26 and 82 GDPR, but had a different concept in mind.
What is next for the administrators of social media accounts?
Some German data protection authorities have already said that they now consider the companies operating Facebook sites to be joint controllers in the meaning of Article 26 GDPR. They have also stated that they expect both Facebook and the site operators to adhere to the corresponding legal requirements.
In particular, the German data protection authority of Nordrhein-Westfalen (LDI NRW) has published guidance (only in German). The recommended steps for fan page administrators include:
Facebook has already stated that it will take the necessary steps to ensure that the operators of Facebook sites can comply with the GDPR (the statement is available only in German). And it is also to be noted that neither the German data protection authorities, which have their own social media presences, nor the Wirtschaftsakademie Schleswig-Holstein have closed their presences so far.
The ECJ´s ruling has consequences not only for Facebook sites, but has wider implications for other instances where several controllers cooperate in a data processing activity. This can – depending on the circumstances – stretch to other presences on social media networks, but also to other activities. In any case, the concept of “joint control” is now clearly on the table, and further decisions of authorities and courts in this area are likely.
It can be expected that the concept of “joint controllership rules” will stay a “hot topic” in the next months. Future interpretations of data protection authorities and courts regarding the concept of “joint control” and “joint responsibility” should be under observation, especially by social media site administrators and website operators.