by K-M Mauel
In a landmark judgment, the European Court of Justice found that operators of Facebook fan pages should be considered as being (jointly) responsible for the data processing of the personal data collected by Facebook on those pages. The basis for that judgment is a legal dispute between independent state data protection centre Unabhängige Landeszentrum für Datenschutz Schleswig-Holstein (ULD) and Wirtschaftsakademie Schleswig-Holstein GmbH (business academy) regarding the legality of an order issued by the ULD demanding that a Facebook fan page operated by the business academy be deactivated.
The court affirmed the exercise of control powers by the German state supervisory authority because Facebook maintains a branch in Germany. It is of no significance here that that branch is only responsible for the sale of advertising space and other marketing campaigns, even though the processing of personal data is carried out exclusively by a branch in another EU country, in this case Ireland. A further consequence of this is that in such a constellation the controlling supervisory authority can exercise its control powers also without the intervention of the supervisory authority at the location where the branch responsible for the data processing has its registered office.
Since Facebook collects personal data of site visitors using cookies in order to optimize its own advertising, and also provides that data in anonymized form to the site operator, for example for target group optimization, the court found that the fact that the operator of a fan page may influence the purposes and means of the data processing through its parameterization means that the operator of a Facebook fan page must also be considered a controller for the data processing along with Facebook.
Our recommendation: although the judgment is based on the now ineffective EC Data Protection Directive, it should be assumed that the assessment carried out by the court will also affect the interpretation of the now effective GDPR. For that reason, operators of Facebook fan pages should, with regard to data protection laws, treat them in exactly the same way as their official websites and provide visitors to those pages with appropriate data protection notices.