The CJEU case originated from the claim of the Independent Data Protection Centre for the Land of Schleswig-Holstein, Germany. It ordered a German education company (Wirtschaftsakademie Schleswig-Holstein GmbH), to deactivate its Facebook page because it, without explicit user consent, accessed and stored cookies from visitors’ hard drives to collect personal data.
The education service provider argued that ‘Facebook alone decided on the purpose and means of collecting and processing personal data used for the Facebook Insights function, Wirtschaftsakademie receiving only anonymised statistical information.’
The court did not agree. Creation of a Facebook page requires page administrators to define parameters of the page depending on target audience, objectives and promotion of the page.
The Facebook page admins can actively set filters that request processing of demographic data, trends relating to age, sex, relationship and occupation, information on the lifestyles, online purchasing habits, other data.
Although Facebook eventually transmits only anonymous data to page admins, still, since the Facebook page operators set these filters, they must be categorised as data controllers ‘responsible for that processing within the European Union, jointly with Facebook Ireland.’
Although this case origins predate GDPR, the decision of CJEU is dictated by the provisions of the new legislation. It distinguishes between data processors and controllers, drawing specific attention to responsibility of both.
German data protection authorities publish new guidelines for operating Facebook fanpages. The CJEU decides lack of access to personal data does not unmake a joint controller: A look at Wirtschaftsakademie – pdpEcho. Who is the controller?
The Court of Justice of the EU decided in Case C-210/16 Wirtschaftsakademie that Facebook and the administrator of a fan page created on Facebook are joint controllers under EU data protection law. The decision sent a mini shockwave to organizations that use Facebook Pages, just one week after the GDPR entered into force. What exactly does it mean that they are joint controllers and what exactly do they have to do in order to be compliant? The judgment leaves these questions largely unanswered, but it gives some clues as to finding answers.
Being a joint controller means they have a shared responsibility (with Facebook) to comply with EU data protection law for the processing of personal data occurring through their Facebook Page. The judgment created a great deal of confusion. It is important to note that the Court did not mention at all which are the responsibilities of whom – not even with regard to providing notice. Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg. Wegen eines Verstoßes gegen die nach Art. 32 DS-GVO vorgeschriebene Datensicherheit hat die Bußgeldstelle des LfDI Baden-Württemberg mit Bescheid vom 21.11.2018 gegen einen baden-württembergischen Social-Media-Anbieter eine Geldbuße von 20.000,- Euro verhängt und – in konstruktiver Zusammenarbeit mit dem Unternehmen – für umfangreiche Verbesserungen bei der Sicherheit der Nutzerdaten gesorgt.
Das Unternehmen hatte sich am 08. September 2018 mit einer Datenpannenmeldung an den LfDI gewandt, nachdem es bemerkt hatte, dass durch einen Hackerangriff im Juli 2018 personenbezogene Daten von circa 330.000 Nutzern, darunter Passwörter und E-Mail-Adressen, entwendet und Anfang September 2018 veröffentlicht worden waren. Ihre Nutzer informierte das Unternehmen nach den Vorgaben der EU-Datenschutzgrundverordnung (DS-GVO) unverzüglich und umfassend über den Hackerangriff. Documents. Language of document : ECLI:EU:C:2018:388 Provisional text JUDGMENT OF THE COURT (Grand Chamber) (Reference for a preliminary ruling — Directive 95/46/EC — Personal data — Protection of natural persons with respect to the processing of that data — Order to deactivate a Facebook page (fan page) enabling the collection and processing of certain data of visitors to that page — Article 2(d) — Controller responsible for the processing of personal data — Article 4 — Applicable national law — Article 28 — National supervisory authorities — Powers of intervention of those authorities) In Case C‑210/16, REQUEST for a preliminary ruling under Article 267 TFEU from the Bundesverwaltungsgericht (Federal Administrative Court, Germany), made by decision of 25 February 2016, received at the Court on 14 April 2016, in the proceedings Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, interveners: Facebook Ireland Ltd, THE COURT (Grand Chamber), Judgment 2.
The ‘Facebook Fan Page’ judgment: joint data controllers, cookies and targeted advertising. How do I know if I am a data controller?
In particular, how do data controller responsibilities work when it comes to cookies operating on my website (especially for targeted advertising purposes)? The GDPR has not invented these questions, but it has injected them with urgency and sharpness. The CJEU’s judgment in the ‘Facebook Fan Page’ case, handed down this morning, is a very significant contribution on increasingly important issues of this kind. The case is Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd (Case C-210/16). The case is not just about the ‘data controller’ issue. First, some background to the case, which I take from my post on Advocate General Bot’s Opinion, given in November 2017: A German company offering education and training services set up a Facebook fan page that allowed it to obtain viewing statistics via the ‘Facebook Insights’ tool.
No. Europe’s top court takes a broad view of privacy responsibilities around platforms. Poullet report 2004 FRA.