logo text

Tuesday, 26 June 2018

Facebook fan page case leads to new understanding of “joint controllers” concept

A recent ruling by the European Court of Justice (“ECJ”) has found that administrators of Facebook fan pages are joint controllers with Facebook for those pages.

What are joint controllers?
Article 26 of the General Data Protection Regulation (“GDPR”) states that “where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers”. The GDPR then sets out very specific obligations on joint controllers processing personal data, which must be complied with by those controllers.

There is some helpful information about joint controller relationships in the WP29 Opinion 1/2010 EU regulatory guidance. It explains that there may be various situations when data controllers are acting together and that this may lead in some circumstances to joint and several liabilities, but this is not necessarily a rule.

Guidance from the Information Commissioner’s Office (“ICO”) under the old law provided a distinction between joint controllers and controllers in common. It suggested that joint controllers would be acting together to decide the purposes and manner of data processing, whereas controllers in common would simply share a pool of personal data that they processed independently of one another.

We hope that the new European Data Protection Board (“EDPB”) will soon update the previous EU guidance on determining controller, processor and joint controller relationships and that the ICO will then follow suit.

It is our experience that most organisations find these relationships very difficult to identify and that they will therefore struggle to ensure compliance with the new more stringent GDPR obligations on joint controllers.

What are the details of the case and what’s new in relation to “joint controller” relationships?
On 5 June 2018, the ECJ delivered its verdict on a case that concerned a German company that had been using a Facebook fan page for marketing purposes. The company could obtain viewing statistics for its fan page via the Facebook Insights tool, which works by Facebook using cookies to collect personal data about visitors to the fan pages. The company operating the fan page was only provided with anonymous statistical data about visitors to its fan page, whereby it could commission Facebook to place targeted advertisements there. The company had no access to identifiable personal data.

The company had not made it clear to visitors of its page that Facebook was using cookies to gather personal data about them in order to produce statistical information and carry out targeted advertising. As a result of this, the German data protection authority (regulator) ordered the company to deactivate its fan page, but the latter took the issue to court, arguing that the data controller in this case was not itself, but Facebook Ireland. It argued this on the basis that it did not itself hold the information to identify the individuals. The German courts agreed, but asked the ECJ to consider the issues.

What were the reasons behind the ECJ’s “joint controller” verdict?
The ECJ’s verdict (which followed the previous Advocate General Bot’s opinion) concluded that the administrator of the fan page on Facebook must be regarded as being, along with Facebook Inc. and Facebook Ireland, a controller of the processing of personal data that is carried out for the purpose of compiling viewing statistics for that fan page.

The ECJ said that the fan page administrator could be a controller because:

  • It agreed to Facebook placing cookies.
  • It set processing parameters that influenced or contributed to the purposes and manner of Facebook’s processing.
  • The data in question was sensitive in terms of its privacy impact (e.g. demographic data including trends in terms of age, sex, relationship and occupation, and information on visitors’ purchases and online purchasing habits) and the ultimate purposes, i.e. targeted advertising.
  • Non-Facebook users could visit the fan page, so privacy notices were imperative.
  • The fact that the fan page administrator had no access to the personal data that Facebook obtained did not preclude it from being a data controller. The definition of “data controller” in Directive 95/46/EC does not talk about access to personal data.

What does the verdict mean for the rest of us?
The ECJ’s verdict has, no doubt, extended the interpretation in relation to which organisations can be considered controllers and indeed joint controllers. This will have a wider impact on many business relationships.

In the absence of current, clear EU/ICO guidance on this point, organisations should consider:

  • Whether their data-sharing relationships involve joint participation in a business activity that requires processing the same personal data, or alternatively simply sharing the same pool of personal data for different and distinct purposes.
  • If and to what extent any decisions are taken together by relevant parties.
  • Specific data flows in their data-sharing relationships:
    • Will the data flows always be the same or will they change in different data-sharing processes? (The latter is more likely.)
    • Is it possible to separate out specific decision-making processes and business logic in relation to different data-processing activities carried out by the respective different parties in a way that demonstrates situations where they determine the means and purposes together?
  • Carrying out data protection impact assessments (“DPIAs”) to assess data-sharing relationships. To comply with the accountability principle and the concepts of privacy by design, organisations should consider carrying out a DPIA to make their evaluation and demonstrate the factors that they have considered before coming to their conclusion and putting the appropriate compliance measures in place.
  • Carrying out a regular review/follow-up DPIA to see whether their data-processing relationships and relationships between parties change over time and therefore require a different compliance route to be followed.
All organisations running Facebook fan pages or any other social media pages should ensure that those social media pages display clear links to the organisation’s privacy policy and in particular how information obtained on that fan page may be used (including an explanation of analytics carried out, targeted advertising and cookie use, etc.).
Next steps
If you require assistance with reviewing or upgrading your website or corporate social media site pages for compliance, Pritchetts Law LLP would be delighted to assist. Please contact us here.

Tuesday, 17 April 2018

Ben Wootton Promoted to Partner of Pritchetts Law LLP

On 6 April 2018, Ben Wootton was promoted to Partner of Pritchetts Law LLP. Ben has been a Senior Solicitor for Pritchetts Law for nearly four years.

The specialist data protection law firm has shown strong growth since it was founded in 2009 by Partner Stephanie Pritchett.

In recognition of its outstanding offering, Pritchetts Law was once again ranked as a leading national and regional firm in the most recent edition of The Legal 500. This well-regarded
directory of top UK law firms describes Pritchetts Law as a highly recommended specialist firm with extensive and in-depth data protection and privacy expertise’”.

After setting up Pritchetts Law nine years ago, Stephanie quickly established its status as a leading UK data protection specialist firm. It advises a wide range of clients across many sectors, consistently punching above its weight and winning work from larger competitors.

Stephanie and Ben have featured on various BBC television and radio programmes, discussing topical data protection issues. They also speak regularly at events and conferences, as well as delivering market-leading data protection and GDPR training courses.

Since Ben joined the firm in 2014, clients have come to recognise his strength in this area. In its independent ranking of Ben Wootton as a “Recommended Lawyer”, The Legal 500 commends “his knowledge of data protection [and] strong feel for the commercial realities that companies face”. See more about our independent rankings here.

Of Ben’s promotion, Stephanie Pritchett said, “I am delighted to formalise what has already been a great partnership with my colleague, Ben Wootton. I couldn’t be more thrilled to have such a smart, dedicated and extremely personable partner aboard the good ship Pritchetts Law LLP.

Of entering into partnership at Pritchetts Law LLP, Ben said, “Stephanie has worked tirelessly to build an extremely well-regarded practice over the last nine years. I am looking forward to continuing the excellent work we have done together over the last four years. We both aim to help clients achieve their commercial objectives while navigating the choppy waters of data protection – we make a great team.”

The team have most recently been helping clients across the UK, and internationally, with preparations for compliance with the EU General Data Protection Regulation (GDPR).

In fact, so great is the demand for the expertise of Pritchetts Law LLP that the firm has recently recruited a consultant solicitor, Al Goodwin, who is a senior commercial contracts specialist lawyer. He trained at top City law firm Freshfields Bruckhaus Deringer, going on to work at several well-known global and national firms (including five years as a partner successfully growing a new practice area). Al has most recently spent two years as Head of Commercial in a global advanced manufacturing and engineering group.

For more information about what Pritchetts Law LLP can offer, visit the firm’s website. For comment on topical data protection issues, read the Pritchetts Law LLP blog, and follow the firm on LinkedIn and Twitter.