logo text

Tuesday, 26 June 2018

Facebook fan page case leads to new understanding of “joint controllers” concept

A recent ruling by the European Court of Justice (“ECJ”) has found that administrators of Facebook fan pages are joint controllers with Facebook for those pages.

What are joint controllers?
Article 26 of the General Data Protection Regulation (“GDPR”) states that “where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers”. The GDPR then sets out very specific obligations on joint controllers processing personal data, which must be complied with by those controllers.

There is some helpful information about joint controller relationships in the WP29 Opinion 1/2010 EU regulatory guidance. It explains that there may be various situations when data controllers are acting together and that this may lead in some circumstances to joint and several liabilities, but this is not necessarily a rule.

Guidance from the Information Commissioner’s Office (“ICO”) under the old law provided a distinction between joint controllers and controllers in common. It suggested that joint controllers would be acting together to decide the purposes and manner of data processing, whereas controllers in common would simply share a pool of personal data that they processed independently of one another.

We hope that the new European Data Protection Board (“EDPB”) will soon update the previous EU guidance on determining controller, processor and joint controller relationships and that the ICO will then follow suit.

It is our experience that most organisations find these relationships very difficult to identify and that they will therefore struggle to ensure compliance with the new more stringent GDPR obligations on joint controllers.

What are the details of the case and what’s new in relation to “joint controller” relationships?
On 5 June 2018, the ECJ delivered its verdict on a case that concerned a German company that had been using a Facebook fan page for marketing purposes. The company could obtain viewing statistics for its fan page via the Facebook Insights tool, which works by Facebook using cookies to collect personal data about visitors to the fan pages. The company operating the fan page was only provided with anonymous statistical data about visitors to its fan page, whereby it could commission Facebook to place targeted advertisements there. The company had no access to identifiable personal data.

The company had not made it clear to visitors of its page that Facebook was using cookies to gather personal data about them in order to produce statistical information and carry out targeted advertising. As a result of this, the German data protection authority (regulator) ordered the company to deactivate its fan page, but the latter took the issue to court, arguing that the data controller in this case was not itself, but Facebook Ireland. It argued this on the basis that it did not itself hold the information to identify the individuals. The German courts agreed, but asked the ECJ to consider the issues.

What were the reasons behind the ECJ’s “joint controller” verdict?
The ECJ’s verdict (which followed the previous Advocate General Bot’s opinion) concluded that the administrator of the fan page on Facebook must be regarded as being, along with Facebook Inc. and Facebook Ireland, a controller of the processing of personal data that is carried out for the purpose of compiling viewing statistics for that fan page.

The ECJ said that the fan page administrator could be a controller because:

  • It agreed to Facebook placing cookies.
  • It set processing parameters that influenced or contributed to the purposes and manner of Facebook’s processing.
  • The data in question was sensitive in terms of its privacy impact (e.g. demographic data including trends in terms of age, sex, relationship and occupation, and information on visitors’ purchases and online purchasing habits) and the ultimate purposes, i.e. targeted advertising.
  • Non-Facebook users could visit the fan page, so privacy notices were imperative.
  • The fact that the fan page administrator had no access to the personal data that Facebook obtained did not preclude it from being a data controller. The definition of “data controller” in Directive 95/46/EC does not talk about access to personal data.

What does the verdict mean for the rest of us?
The ECJ’s verdict has, no doubt, extended the interpretation in relation to which organisations can be considered controllers and indeed joint controllers. This will have a wider impact on many business relationships.

In the absence of current, clear EU/ICO guidance on this point, organisations should consider:

  • Whether their data-sharing relationships involve joint participation in a business activity that requires processing the same personal data, or alternatively simply sharing the same pool of personal data for different and distinct purposes.
  • If and to what extent any decisions are taken together by relevant parties.
  • Specific data flows in their data-sharing relationships:
    • Will the data flows always be the same or will they change in different data-sharing processes? (The latter is more likely.)
    • Is it possible to separate out specific decision-making processes and business logic in relation to different data-processing activities carried out by the respective different parties in a way that demonstrates situations where they determine the means and purposes together?
  • Carrying out data protection impact assessments (“DPIAs”) to assess data-sharing relationships. To comply with the accountability principle and the concepts of privacy by design, organisations should consider carrying out a DPIA to make their evaluation and demonstrate the factors that they have considered before coming to their conclusion and putting the appropriate compliance measures in place.
  • Carrying out a regular review/follow-up DPIA to see whether their data-processing relationships and relationships between parties change over time and therefore require a different compliance route to be followed.
All organisations running Facebook fan pages or any other social media pages should ensure that those social media pages display clear links to the organisation’s privacy policy and in particular how information obtained on that fan page may be used (including an explanation of analytics carried out, targeted advertising and cookie use, etc.).
Next steps
If you require assistance with reviewing or upgrading your website or corporate social media site pages for compliance, Pritchetts Law LLP would be delighted to assist. Please contact us here.

No comments:

Post a Comment