What is next after the ECJ ruling on “Joint Control”

By Jörg-Alexander Paul, Simon Assion

07-2018

On 5 June 2018 the EU Court of Justice (ECJ) released a decision in the case of Wirtschaftsakademie Schleswig Holstein (case no C‑210/16). The decision deals mainly with the issue of “joint responsibility” in social media networks. The court found that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data of visitors to the page.

What are the key implications of the ruling, and what is next?

Background

The ECJ’s ruling is based on an action brought by the Wirtschaftsakademie Schleswig-Holstein (a training academy) against the data protection authority of the state of Schleswig Holstein (the ULD). In 2011, the ULD had ordered the Wirtschaftsakademie to deactivate its Facebook fan page because, according to the ULD, visitor data could be collected by Facebook via a cookie on the fan page without the visitors being informed. Wirtschaftsakademie sought legal protection against this order, arguing that it was not responsible for the data processing by Facebook. The Federal Administrative Court of Germany referred the case to the ECJ.

Essence of the ruling

In its ruling the ECJ finds that an administrator such as Wirtschaftsakademie must be regarded as a controller jointly responsible with Facebook for the processing of the data. The most important statements of the court are:

  • The ECJ says that the “joint responsibility” was triggered by the Wirtschaftsakademie defining the “parameters” of the fan page and by managing and promoting it. The court argues that by opening the fan page, Wirtschaftsakademie made it possible for Facebook to collect data of the visitors. In return, the Wirtschaftsakademie received statistics and other information about their visitors which they could use to optimise their offers.
  • It is worth noting that Facebook, on its own, was deploying cookies and collecting personal data to target relevant ads and content. Facebook did not share the personal data with Wirtschaftsakademie; it shared only anonymous statistical data. In this regard the court states very clearly that joint responsibility does not require that each of the controllers has access to the personal data concerned.
  • On the other hand, the court also states that “joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data”. It remains unclear what the court exactly meant by that statement – we will discuss the implications below.

Key implications

The court strictly limited itself to an assessment of the applicable case, and only applied the (now outdated) Data Protection Directive. The Directive already mentioned that controllers can “jointly determine the purposes and means of processing”, but did not comprise the detailed regulations on “Joint Control” that are now laid down in Article 26 GDPR. Consequently, the decision is quite open to interpretation and it remains unclear what exactly this decision means for the application of the GDPR.

However, the decision at least allows a first glimpse at how the ECJ will possibly interpret the concept of “joint control” under the GDPR. Most of the commentators, including the German data protection authorities, seem to interpret the ECJ’s ruling in a way that the ECJ’s concept of being “jointly responsible” is equivalent to the concept of “joint controllership” as laid down in Article 26 GDPR. Seen from this angle, the door is now open for a broader interpretation of the term “Joint Control”.

It is noteworthy, however, that a different interpretation of the ruling is possible, if not obvious. As said, the ECJ’s explanation of “joint responsibility” is followed by the clarification that the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data. It remains an open question how this statement is to be seen in conjunction with the provisions of the GDPR.

  • On the one hand, Article 26 GDPR requires now that “joint controllers” enter into an “arrangement” in order to determine their respective responsibilities for compliance with the GDPR. This means that the parties can allocate spheres of responsibility between them. Naturally this allows that one party assumes “primary” responsibility. The data subjects, however, can exercise their rights against each of the joint controllers (Article 26 (3) GDPR).
  • And on the other hand, Article 82 GDPR constitutes that each controller “involved in processing” can be held liable for the entire damage caused by processing and not only the portion of the damage the respective controller is responsible for, except when the controller can prove that it is not in any way responsible for the event giving rise to the damage.

Both of these concepts are new to the GDPR compared to the Directive that was subject to the Court´s decision. But when the Court says that joint responsibility does not necessarily imply equal responsibility, this at least indicates that, when discussing “responsibility”, the ECJ did not speak of “joint control” in the meaning of Articles 26 and 82 GDPR, but had a different concept in mind.

What is next for the administrators of social media accounts?

Some German data protection authorities have already said that they now consider the companies operating Facebook sites to be joint controllers in the meaning of Article 26 GDPR. They have also stated that they expect both Facebook and the site operators to adhere to the corresponding legal requirements.

In particular, the German data protection authority of Nordrhein-Westfalen (LDI NRW) has published guidance (only in German). The recommended steps for fan page administrators include:

  • Obligation to provide transparent information: Facebook site´s operators must ensure that the visitors of a Facebook site are informed in line with Article 13 GDPR.
  • Collection of consent: According to the LDI NRW, tracking of visitors of the site by Facebook, either by using cookies or via other means requires prior consent.
  • Joint controller arrangement: According to Article 26 GDPR, an “arrangement” is necessary between the website operators and Facebook. The parties have to make the essential contents of this arrangement available to the users.

Facebook has already stated that it will take the necessary steps to ensure that the operators of Facebook sites can comply with the GDPR (the statement is available only in German). And it is also to be noted that neither the German data protection authorities, which have their own social media presences, nor the Wirtschaftsakademie Schleswig-Holstein have closed their presences so far.

Conclusions

The ECJ´s ruling has consequences not only for Facebook sites, but has wider implications for other instances where several controllers cooperate in a data processing activity. This can – depending on the circumstances – stretch to other presences on social media networks, but also to other activities. In any case, the concept of “joint control” is now clearly on the table, and further decisions of authorities and courts in this area are likely.

It can be expected that the concept of “joint controllership rules” will stay a “hot topic” in the next months. Future interpretations of data protection authorities and courts regarding the concept of “joint control” and “joint responsibility” should be under observation, especially by social media site administrators and website operators.