In Europe, Facebook’s data law buffer looks to be on borrowed time

Facebook’s European business may not, for too much longer, be able to rely on its preferred privacy buffer of arguing that data protection oversight of its business is exclusively limited to the Irish watchdog on account of its European HQ being located in Ireland.

A non-binding legal opinion put out today by an influential advisor to Europe’s top court has ruled that the social network can in fact be subject to privacy oversight in other European Union Member States — at least where it has some physical presence (such as a sales office), as well as users whose data it is gathering for targeted advertising.

The underlying case pertains to the background tracking of web browser users via Facebook operated cookies. A German education and training company which runs a fan page on Facebook had, in 2011, been ordered by a German data protection authority to deactivate the Facebook page because the latter deemed that neither it nor Facebook had informed users their personal data was being collected.

The company challenged the order in court and, after much legal back and forth, several questions were referred to Europe’s top court for a preliminary ruling — which today’s advocate general opinion prefigures.

In recent years, various European DPAs have sought to impose fines on Facebook for what they view as data protection violations pertaining to users in their jurisdiction, including watchdogs in Spain, the Netherlands and Belgium.

But Facebook’s go-to rebuttal is to claim it is only subject to the jurisdiction of the Irish DPA.

In today’s opinion, the advocate general writes: “In recent months, the supervisory authorities of several Member States have decided to impose fines on Facebook, because of breaches of the rules on the protection of the personal data of its users. The present case will enable the Court to clarify the extent of the powers of intervention of supervisory authorities such as ULD [German DPA] with regard to the processing of personal data which involves the participation of several parties.”

It’s fair to say that EU Member States’ data protection authorities are a spectrum, with some taking a distinctly more proactively pro-privacy stance than others.

While Ireland’s low corporate tax rate is something of a flag for where the country plants its priorities on the ‘data for businesses’ vs ‘privacy for users’ axis — underlining why Facebook might want to be subject to its supervision vs other, more pro-privacy EU DPAs.

But its preference for the Irish data protection commissioner to be its sole privacy authority could well be on borrowed time. A spokeswoman for the ECJ said there is no date yet for a final judgment but one usually follows between three and six months after the opinion.

Contacted for a response to today’s advocate general’s opinion, a Facebook spokesperson told us: “We respectfully disagree with the Advocate General and await the European Court’s decision.”

Facebook’s spokesperson further emphasized the AG’s opinion is non-binding. However AG opinions are usually highly influential on the court — though we’ll have to wait to see whether the court concurs in this instance. (If so there could be wider implications for other, similarly structured tech companies that also use tracking cookies in the EU.)

The Facebook spokesperson also sought to imply that the AG’s opinion is not consistent with an incoming update to EU data protection law, under the GDPR — which comes into force in May 2018, and includes a provision intended to reduce data oversight complexity for companies operating services across EU Member States borders via a so called one-stop shop mechanism that’s designed to limit the number of DPAs data controllers need to liaise with.

However the mechanism does not mean data oversight is automatically limited to a single DPA; rather the GDPR provides for a lead DPA which can liaise with any other concerned authorities over data issues pertaining to citizens in their own territories. So in fact it allows for multiple concerned DPAs to carry out supervision on companies’ data-related practices.

The AG also touches on this area, writing: “[T]he Court should not, in my opinion, pre-empt the scheme established by the general regulation on data protection which will apply from 25 May 2018 onwards. As part of that scheme a one-stop-shop mechanism is instituted. This means that a controller that carries out cross-border data processing, such as Facebook, will have only one supervisory authority as interlocutor, namely the lead supervisory authority, which will be the authority for the place where the controller’s main establishment is located. Nevertheless, that scheme, and the sophisticated cooperation mechanism which it introduces, are not yet applicable.”

Another interesting component of the opinion pertains to the definition of a data controller — a key distinction in privacy law which enables supervisory authorities to understand where specific legal responsibilities lie, and thus how to apply data protection law.

In the case of the German company involved in the original case, the AG’s view is that both it and Facebook share responsibility for data processing as regards the Facebook fan page, as both are involved with making decisions around how user data is processed (one as administer of the specific Facebook fan page; the other, Facebook, as administrating entity of Facebook fan pages).

But the wider point of note is that neither needs to have complete control over data processing activities to be deemed a data controller from a legal point of view.

“Ever more frequently data processing is complex, comprising several distinct processes which involve numerous parties which themselves have differing degrees of control. Consequently, any interpretation which focusses on the existence of complete control over all aspects of data processing is likely to result in serious lacunae in the protection of personal data,” writes the AG.

“I would add that, as the Belgian Government rightly observes, the fact that the Wirtschaftsakademie [the German company in the case] acts as joint controller in so far as it decides to have recourse to Facebook’s services for its information offering in no way relieves Facebook Inc. or Facebook Ireland of their obligations as controllers. Indeed, it is clear that those two entities have a decisive influence over the purposes and means of the processing of personal data which occurs when a fan page is visited and that they also use that data for their own purposes and interests.”

The AG also writes in support of “a broad interpretation of the concept of ‘controller’” saying this is necessary for EU data protection law to function as intended.