Court Finds Facebook Page Administrator ‘Jointly Responsible’ For Data Protection

Operators of resources on Facebook are “jointly responsible” with the American company for processing users’ data, Europe’s highest court has ruled, amidst growing scrutiny of data-gathering practices worldwide.

The European Court of Justice found on Tuesday that a German education firm which operated a fan page could not, as the company had argued, pass responsibility for data protection issues on to Facebook.

The education company had made use of a Facebook feature allowing it to collect anonymised data on visitors to the fan page through the use of cookies.

In 2011 a German data protection authority had ordered the firm to cease operating the page, arguing that users hadn’t been informed their data was being collected.

Joint responsibility

The firm responded with a legal action arguing that Facebook, not it, was responsible for data protection issues, since it had provided the tracking service under non-negotiable conditions. Any action should have been taken directly against Facebook, the firm said.

But in this week’s ruling the ECJ found that while Facebook and its Irish subsidiary must indeed be regarded as “controllers” responsible for processing the personal data of Facebook users, administrators such as the education firm are jointly responsible.

“Such an administrator takes part, by its definition of parameters,… in the determination of the purposes and means of processing the personal data of the visitors to its fan page,” the ECJ said in a statement on the ruling.

In particular, the court noted that administrators can ask for anonymised demographic data on its audience, thereby requesting the processing of that data. Such data can include trends in age, sex, relationships, occupations, information on lifestyles and centres of interest, and online purchasing habits.

GDPR ‘one stop shop’

“The fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data,” the court stated.

The ECJ also reaffirmed an October opinion by a legal adviser that said the German authority had the power to take action against Facebook, even though Facebook’s EU subsidiary is based in Ireland.

Facebook had argued that only the Irish data protection regulator had jurisdiction over its activities.

The case predated the entry into force last month of the General Data Protection Regulation (GDPR), which introduces a “one stop shop” mechanism allowing companies to deal only with the regulator in the member state of their main EU establishment.

Under the GDPR, when issues arise elsewhere in the EU, authorities in those areas can either hand the case over to the company’s lead regulator or handle the case locally in cooperation with the lead regulator.

How much do you know about privacy? Try our quiz!