An interesting ruling by Europe’s top court could have some major implications for data mining tech giants like Facebook and Google, along with anyone who administers pages that allow platforms to collect and process their visitors’ personal data — such as a Facebook fan page or even potentially a site running Google Analytics.
Passing judgement on a series of legal questions referred to it, the CJEU has held that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of the data of visitors to the page — aligning with the the Advocate General’s opinion to the court, which we covered back in October.
In practical terms the ruling means tech giants could face more challenges from European data protection authorities. While anyone piggybacking on or plugging into platform services in Europe shouldn’t imagine they can just pass responsibility to the platforms for ensuring they are compliant with privacy rules.
The CJEU deems both parties to be responsible (aka, ‘data controllers’ in the legal jargon), though the court also emphasizes that “the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data”, adding: “On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.”
Gist of Wirtschaftsakademie final judgement
– if you attract users to a service (e.g. FB fan page)
– that tracks them
– and you use (aggregate) results from the tracking
you are a data controller, *even* if you never held or saw anything that could be considered personal data.— Michael Veale @mikarv@someone.elses.computer (@mikarv) June 5, 2018
The original case dates back to 2011, when a German education and training company with a fan page on Facebook was ordered by a local data protection authority to deactivate the page because neither it nor Facebook had informed users their personal data was being collected. The education company challenged the DPA’s order and, after much legal back and forth, questions were referred to Europe’s top court for a preliminary ruling.
“The fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data,” the court writes today, handing down its judgement.
“It must be emphasised, moreover, that fan pages hosted on Facebook can also be visited by persons who are not Facebook users and so do not have a user account on that social network. In that case, the fan page administrator’s responsibility for the processing of the personal data of those persons appears to be even greater, as the mere consultation of the home page by visitors automatically starts the processing of their personal data.
“In those circumstances, the recognition of joint responsibility of the operator of the social network and the administrator of a fan page hosted on that network in relation to the processing of the personal data of visitors to that page contributes to ensuring more complete protection of the rights of persons visiting a fan page, in accordance with the requirements of Directive 95/46.”
Facebook unsurprisingly expressed disappointment at the CJEU’s decision when contacted for a response.
“We are disappointed by this ruling. Businesses of all sizes across Europe use internet services like Facebook to reach new customers and grow,” a spokesperson told us via emailed statement. “While there will be no immediate impact on the people and businesses who use Facebook services, we will work to help our partners understand its implications. We are compliant with applicable European law and as part of our preparations for GDPR, we have further improved our privacy policies, controls and tools to make them clearer.”
The company’s go-to legal strategy to defend against data protection challenges in Europe has been to claim it’s only bound by the jurisdiction of the Irish Data Protection Commissioner, given its international HQ is based in Ireland. So it’s essentially relied upon a cosy relationship with a local, pro-business DPA to shield it from complaints filed in other less friendly European jurisdictions.
But as we wrote last fall that strategy looks to be on borrowed time, as courts in Member States are increasing showing a willingness to assert jurisdiction over tech giants whose digital services freely cross EU borders and are entirely capable of impacting citizens’ rights everywhere.
“I do think it is becoming harder and harder for any tech company to evade the law,” Jef Ausloos, a researcher at the Centre for IT and IP Law in Belgium, tells us. “We see it in almost every CJEU ruling since GoogleSpain (delisting/rtbf) — the Court wants to ensure complete and effective protection.”
“From now onwards you can go through fan pages (that are in same jurisdiction and/or in a jurisdiction with strong DPA) by proxy to attack Facebook — regardless of one-stop-shop — so great for user-empowerment,” he adds.
“(Co-)responsibilising fan-pages will put massive pressure on Facebook but also Google-Analytics, for example, to enable better control to fan page-administrators and data subjects.”
While today’s CJEU ruling could pave the way for more enforcement of EU data protection rules at a Member State level, there are some caveats as the judgement relates to the bloc’s prior Data Protection Directive — which has now been replaced with an updated privacy framework, in the form of the General Data Protection Regulation (GDPR).
And Facebook is clearly attempting to promote a self-serving interpretation of GDPR that seeks to concentrate jurisdictional elements around a lead data protection authority — under the regulation’s so-called ‘one-stop shop’ principle. So once again it’s trying to lean towards only having to be answerable to the Irish DPA.
However that looks like wishful thinking. The GDPR’s OSS mechanism was not intended to limit the participation of other DPAs where complaints cross Member State borders — but rather to allow for co-ordination between multiple agencies.
And, well, Europe’s top court is making its view on the local competence of data watchdogs increasingly clear…
Another radical & ground-breaking yet somewhat unsurprising #CJEU decision which will limit One Stop Shop: Local DPA competent even if main EU establishment elsewhere in 🇪🇺. https://t.co/zAd3jmBfIG
— Eduardo Ustaran (@EUstaran) June 5, 2018
“[The CJEU ruling] continues the trend set in Google Spain that challenges can be brought across the Union,” agrees Michael Veale, a technology policy researcher at University College London. “However that aspect of the case is specifically about interpretation of the Data Protection Directive.
“The GDPR has a separate system to deal with cross-border processing, with mechanisms present such as the EDPB [European Data Protection Board], and voting systems for particular types of co-ordinated action, and the idea that a ‘lead supervisory authority’ can act but not control an entire process. Now we will see how fragmented that will end up as in practice.”
Playing down the potential impact of the ruling, Facebook — somewhat ironically — points to GDPR’s tightening of rules around the consent basis for processing persona data, meaning there’s more onus on data handlers to clearly and cleanly communicate choices to users, at least assuming consent is the legal basis they’re relying on to process people’s data.
So, in theory, that means any entities handling EU citizens’ personal data should already be thinking far more carefully about their responsibilities vis-a-vis users’ personal data — more than was perhaps the case all the way back in 2011 (when the penalties for ignoring Europe’s privacy rules were all too easily ignored).
The GDPR’s biggest change to the EU’s privacy regime is not so much new rules as an increase in the maximum penalties for data protection violations, giving enforcement the teeth that have always been lacking and thereby concentrating minds on compliance.
Though the irony here comes because in Facebook’s own case it’s already facing legal challenges to the consent flows it’s designed for GDPR — with early complaints filed against the eponymous Facebook platform and two other Facebook-owned services, Instagram and WhatsApp, alleging they are subverting the rules by coercing consent from users. (Another early consent-related complaint has also been lodged against Google’s Android.)
In terms of damage limitation as a result of the CJEU ruling, Facebook says it will work with partners and regulators in Europe to limit the potential impact on its services and on those that use them, suggesting — for example — that it could provide guidance to Page owners on how they can comply with their obligations.
At the start of this year it also announced a series of data protection workshops in Europe, set to run throughout this year, and aimed at small and medium businesses — with a stated focus on GDPR compliance.
So it’s already busy on that front — and only now likely to get busier.
But given the sheer volume of fan pages that exist on Facebook there’s no doubt the CJEU judgement greatly increases the company’s surface area for legal liabilities. (Though the ruling does not just apply to Facebook, of course.)
While the court’s backing for local DPAs’ jurisdiction sets the weather going into GDPR, and looks like a vital check against any overbearing corporate attempts to reshape the new rules to fit their own ends — at the expense of users’ fundamental rights.
The EU is in a permanent balancing exercise between harmonisation & national diversity. This is very visible in #EUdataP law. The #GDPR leans towards harmonisation. The #CJEU decisions tend to highlight Member States’ diversity. The result reflects the reality on the ground.
— Eduardo Ustaran (@EUstaran) June 5, 2018
Comment