Ruling C-210/16 of June 5, 2018 Wirtschaftsakademie – The “Facebook” ruling which couldn’t come at a better time
A few days after the application of the General Data Protection Regulation (GDPR), accompanied by its bunch of e-mails – indeed even junk mail or spam – and by its media buzz, the Court of Justice of the European Union handed down a ruling.
This case opposed Wirtschaftsakademie of the Land of Schleswig-Holstein and the regional data protection authority – “the ULD”, in the presence of … Facebook Ireland Ltd.
First and foremost, let us be clear that this is obviously not the first ruling handed down concerning the famous GDPR; the issue here is the interpretation of Directive 95/46/EC on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the origin of said Regulation!
The main proceedings between the ULD and Wirtschaftsakademie, a private law company operating in the field of education, concerned the lawfulness of the authority’s order to Wirtschaftsakademie to deactivate its “page” hosted on the Facebook social network site.
In fact, according to the authority, neither Wirtschaftsakademie, nor Facebook informed the page’s visitors that Facebook was collecting, by using cookies, their personal information, which is processed, notably using the Facebook Insight application, and which enables page administrators to obtain statistical information about their visitors.
Following the national proceedings, the Federal Administrative Court has addressed six questions referred for a preliminary ruling to the Court. This Court has made a point of grouping them together in order, ultimately, to learn three particularly instructive lessons from them.
Firstly, it appears that the notion of “data controller” – which has not undergone any changes between the old directive and the new regulation – must be interpreted in the sense that it also includes the administrator – in this case, Wirtschaftsakademie – of a fan page hosted on a social network such as Facebook. Should we conclude from this that their joint responsibilities are equivalent? This is neither supported by the Advocate General – see points 75 and 76 of its findings – nor by the Court – see point 43 of the ruling; the level of responsibility of each party must be evaluated by taking into account all the circumstances of this particular case.
Secondly, independently of the allocation of tasks within the same business group – Facebook, for example –, the supervisory authority of a Member State is authorised to exercise its powers of intervention, and notably of processing prohibition, even if the division of the group established on its territory is not responsible for the data processing policy within the group.
Thirdly, the Court infers from the forgoing that the supervisory authority of the relevant Member State may exercise its powers of intervention without even any need for the supervisory authority of the Member State, in which the principal establishment of the business entity is located, – Ireland, in the case of Facebook – to intervene.
What needs to be upheld from this ruling? It seems that the Court is willing to act as a safeguard since, as pointed out by the Advocate General, it is about preventing a business/company from being able to conclude a contract/agreement with a third party “in order to avoid its obligations in matters of personal data protection”. And that each supervisory authority can take action if this gets out of control; now what remains is to provide them with the necessary resources to do so...
Associated areas of specialisation: Privacy and personnal data