By Orla Lynskey
The data protection practices of social networking giant Facebook have been the subject of much regulatory and public scrutiny in recent months, from the Cambridge Analytica saga to the allegation that Facebook’s consent mechanism is not GDPR-compliant and its terms of service constitute an abuse of dominance. The recent judgment of the Grand Chamber of the CJEU is therefore likely to add to Facebook’s data protection woes, by increasing the pressure on it to reconsider the data processing practices that underpin its business model.
The case, a preliminary reference from the German Federal Administrative Court, arose in the context of proceedings between the data protection authority of Schleswig-Holstein (the ULD) and Wirtschaftsakademie, a private company operating in the field of education. Wirtschaftsakademie offers its educational services through a ‘fan page’ hosted by the Facebook platform, a customised page that interested parties (‘fans’) can visit. Wirtschaftsakademie also obtained anonymised statistical information from Facebook (‘Facebook insights’) regarding visitors to the fan page. This statistical data is compiled by placing cookies, active for two years, on the personal device of the fan page visitor. When the fan page is open, user data is transmitted to the cookie. The ULD’s grievance with this practice was that information regarding the data processing of Facebook fan page visitors was not communicated to users by Facebook or the Wirtschaftsakademie.
As a result of this failure to notify fan page users of the data processing, the ULD ordered the Wirtschaftsakademie to deactivate its fan page. Wirtschaftsakademie contested this decision arguing that it was not responsible for the installation of the cookie on user devices and the subsequent data processing by Facebook. The ULD disagreed, noting that Wirtschaftsakademie had made an active and deliberate contribution to the collection of this data by Facebook and that it benefitted from this processing by receiving ‘Facebook Insights’. The subsequent litigation, culminating in the Federal Administrative Court, centred on the attribution of responsibility for the contested data processing.
The German Court referred six questions to the CJEU, essentially querying whether Wirtschaftsakademie could be held responsible for the breach of data protection law (questions 1 and 2); the jurisdictional question of whether the ULD had the competence to exercise its powers, given that Facebook’s primary establishment for data protection purposes is in another EU Member State (questions 3 and 4); and, whether there were constraints on the ULD’s competences given that its assessment inherently entails an appraisal of the legality of the actions of a third-party established in another EU Member State (in this case, Facebook established in Ireland) (questions 5 and 6).
On the attribution of liability, the Court began by recalling that the Data Protection Directive aims to ensure a high level of fundamental rights protection and that the concept of ‘controller’ is broadly defined in order to ensure ‘effective and complete’ protection for individuals. It then noted that the wording of the Directive (which remains substantially unchanged in Article 4(7) GDPR) does not limited ‘data controller’ to a single entity but rather may concern several actors partaking in that processing, with each of them subject to the relevant data protection rules. It therefore found that Facebook Inc and Facebook Ireland primarily determine the purposes and means of the processing of fan page user data, and are therefore controllers (para 30).
In particular, the Court highlighted that the fan page administrator could specify and request forms of anonymised demographic data (including information on age, lifestyle, spending habits etc) that would necessitate the processing of this data (para 37). The production of this data, derived from the data extracted from cookies, constitutes personal data processing, even if the final data transmitted to the fan page administrator is anonymous (para 38). By defining the parameters for data processing in this way, the fan page administrator – Wirtschaftsakademie in this instance – constitutes a joint data controller (para 39).
The Court emphasised that the use of the Facebook platform does not exempt fan pages administrators from data protection compliance and that their responsibility is further enhanced when the visitor to the fan page is not a registered Facebook user (paras 40 and 41). Such recognition of joint responsibility contributes, according to the Court, to the more complete rights protection of fan page visitors. Yet, it concurred with Advocate General Bot that joint responsibility does not equate to equal responsibility, noting that joint controllers may be involved in different stages of processing to different degrees (para 43).
On the second set of jurisdictional questions, the Court began by restating that, first, the national law of a Member State can be applicable to processing where the processing is carried out in the context of the activities of an establishment in that Member State. Such an establishment requires the exercise of real and effective activity though stable arrangements, irrespective of its legal form. In this instance, the Court held that Facebook Germany constituted such an establishment.
In keeping with its prior jurisprudence, the Court held that the contested processing does not need to be carried out by that establishment, but simply ‘in the context of its activities’, a phrase that cannot be interpreted restrictively. The Court, in keeping with the Advocate General’s Opinion and its Google Spain jurisprudence, held that the promotion and sale of advertising space by Facebook Germany, in order to subsidise Facebook’s platform services, was inextricably linked to the contested data processing. Thus, the Court concluded such processing is carried out in the context of Facebook Germany’s establishment; German law is therefore applicable to the processing and the German authority is entitled to exercise all powers conferred on it under domestic law.
Facebook has its primary European establishment in Ireland, and the ULD’s intervention against Wirtschaftsakademie was on the grounds of a data protection infringement by Facebook. The Court was therefore asked to consider whether the German supervisory authority was competent to conduct its assessment of the lawfulness of Facebook’s data processing activities and exercise its powers without asking first for the Irish supervisory authority to intervene.
The Court recalled that, pursuant to Article 16(2) TFEU and Article 8(3) EU Charter, supervisory authorities are required to act with complete independence. Moreover, while the Directive provided for cooperation between supervisory authorities, it did not lay down criteria for the prioritisation of their actions. Each national supervisory authority is, according to the Court, competent to assess the compatibility of processing on its own territory with complete independence, irrespective of the findings of other supervisory authorities in analogous situations. The ULD could therefore assess the lawfulness of the contested data processing operations independently of the assessments of the Irish supervisory authority.
The Court’s jurisdictional determinations will put a definitive end to speculation that the Google Spain logic – that the presence in a Member State of a subsidiary providing support for the data processing operations is sufficient for that State’s supervisory to claim jurisdictional competence – would be confined to situations where the controller was not established in the EU. The Court, in essence, reasoned that the complete independence of the supervisory authorities enables them to take autonomous potentially conflicting actions. Given that independence is a primary law requirement, and the new EU data protection agency (the EDPB) limits the autonomous decision-making of supervisory authorities, it will be interesting to see whether the agency’s compatibility with the Charter is challenged in future.
The Court’s findings regarding the concept of ‘controller’ are unlikely to come as a surprise to those who have been following its trajectory in this field. The scope of key concepts underpinning the data protection rules – such as personal data and data controller – has been interpreted broadly in order to ensure the effectiveness of the protection of individuals afforded by the data protection regime.
Given that the biggest weakness of the EU data protection rules to date has been their under-enforcement, with individuals experiencing this protection as more illusory than real, the Court’s push for their effectiveness is to be welcomed. Indeed, the Court’s support for the data protection rules can be seen as one of several structural measures that will help remedy the persistent power asymmetry between individuals and entities such as Facebook, who process their personal data. Although Facebook was not party to the litigation, the Court, in delimiting the concept of ‘joint controller’, emphasised that Facebook would be primarily responsible for compliance. Facebook is now thereforetaking measures to help fan pages administrators comply with the judgment.
The judgment alsodraws attention to the influence that powerful gatekeeper platforms, like Facebook, have on the level of data protection offered to individuals. As argued elsewhere, as well as their direct impact on digital rights, gatekeeper platforms also have a significant indirect impact on our rights by – de facto – determining the conditions for our data processing by other providers, such as Wirtschaftsakademie in this case. One outcome of this judgment is that it may encourage platforms to reconsider the terms on which they make their platforms available. In the interim however, the legions of business users of gatekeeper platforms may themselves feel that the Court has misunderstood their plight. It is unclear from the judgment whether it was technically feasible for fan page administrators to provide their own cookie notice, or contractually feasible for them to decline to use Facebook Insights (the judgment simply states that the conditions of use of the latter were non-negotiable). In such circumstances, then data controllers such as Wirtschaftsakademie may find themselves in the same boat as data subjects: offered a ‘take it or leave it’ choice to deal with the market’s biggest players.