Who controls the data of fan page visitors
Responding to the request by the German Federal Administrative Court, the Court of Justice of the EU ("CJEU") gave on 5 June 2018 its preliminary ruling in the proceedings between Schleswig-Holstein's data protection authority ("ULD") and a private educational company ("Wirtschaftsakademie"). The judgment, in the case C-210/16, sheds light on who is the data controller in relation to the processing of personal data on a fan page hosted on Facebook.
The dispute was triggered by the ULD's November 2011 decision ordering Wirtschaftsakademie to deactivate its fan page on Facebook. Facebook placed cookies into the computers or other devices used by visitors of the fan page, without informing them of the collection and further processing of their personal data. Wirtschaftsakademie also failed to inform the visitors. Facebook then anonymized the visitors’ data and provided aggregated data on visitors to the fan page to Wirtschaftsakademie. The anonymous statistical information made Wirtschaftsakademie aware of the profile of the visitors who like its fan page or use its applications.
Wirtschaftsakademie challenged the ULD decision before German courts, arguing that Facebook was responsible for the processing of the data on the fan page visitors. Facebook delivered the data to Wirtschaftsakademie in aggregated form, so – Wirtschaftsakademie argued – these were no more personal data. The ULD insisted that Wirtschaftsakademie was responsible for the data processing because it actively and deliberately contributed to the processing on the part of Facebook and "profited by means of the statistics provided to it by Facebook".
In essence, the proceedings before German courts at various levels were about who was the data controller – Facebook or Wirtschaftsakademie.
- by operating a fan page, the administrator gave Facebook an opportunity to place cookies on computer or other device of the visitors, including those who did not have a Facebook account; and
- the administrator was the one defining the parameters for production of the statistical data – it for example could require from Facebook to deliver only the statistics pertaining to a certain kind of visitors, or to produce data relating to the trends concerning the visitors' age, sex, occupation, and other characteristics, interests, or habits. In that way, the administrator substantially influenced the processing of personal data before Facebook turned the data into statistics.
Attributing the status of the controller to Wirtschaftsakademie is plausible, considering that the fan page administrator determined the purpose of the personal data processing: offering the visitors "more relevant content and develop functionalities likely to be of more interest to them" (paragraph. 34).
As for Facebook's role in the processing scheme, the CJEU found Facebook Inc. and Facebook Ireland (for the European Union) to be data controllers, because they primarily determine the purposes and means of processing the personal data of users of Facebook and persons visiting the fan pages hosted on Facebook. According to paragraph 34 of the preliminary ruling, the processing of personal data was intended both "to enable Facebook to improve its system of advertising transmitted via its network" and "to enable the fan page administrator to obtain statistics produced by Facebook from the visits to the page". It follows that Facebook is a controller in relation to the processing the purpose of which is to improve Facebook's own system of advertising.
So, the Court found both Wirtschaftsakademie and Facebook to be data controllers. The judgment does not explain whether Wirtschaftsakademie and Facebook are co-controllers or two distinct controllers (each determining its own purpose of the data processing). It would appear that, in relation to the purpose of Wirtschaftakademie offering tailor-made content and functionalities to the visitors, Facebook could hardly be considered anything else but a data processor.