Europe's top court has just blown a big hole in Facebook's fan-page terms

New CJEU ruling in Facebook case could have "far-reaching effects" for GDPR contracts.
Written by David Meyer, Contributor

Video -- GDPR deadline: Organizations are struggling to comply.

Europe's top court has ruled that companies and people who administer Facebook fan pages are jointly responsible with Facebook for data protection on those pages.

The ruling means that if Facebook is infringing on the data-protection rights of users who follow a fan page, the page's admins may also be in the firing line, at least to some degree.

CNET: Facebook's Mark Zuckerberg has a tough road ahead in Europe on data privacy | Facebook data privacy scandal: A cheat sheet (TechRepublic)

Equally, if the fan-page operator infringes on people's privacy rights, Facebook may also be responsible.

As a result of the ruling, Facebook and a host of other companies involved in online marketing will probably need to rewrite their contracts with customers across Europe.

"We are disappointed by this ruling," said a Facebook spokesperson.

"Businesses of all sizes across Europe use internet services like Facebook to reach new customers and grow. While there will be no immediate impact on the people and businesses who use Facebook services, we will work to help our partners understand its implications."

The ruling, from the Court of Justice of the European Union (CJEU), came through Tuesday morning in the case of a German educational company called Wirtschaftsakademie Schleswig-Holstein.

Back in 2011, the data-protection authority in the north-German state of Schleswig-Holstein ordered the firm to deactivate its Facebook fan page because neither Wirtschaftsakademie nor Facebook told visitors that Facebook was collecting personal data about them, using cookies.

The Schleswig-Holstein data-protection regulator maintained that the educational academy was the 'controller' of the personal data gathered through its fan page, so it was responsible.

The German firm fought back, saying it couldn't be held responsible and had not asked Facebook to track anyone.

"The court finds that an administrator such as Wirtschaftsakademie must be regarded as a controller jointly responsible, within the EU, with Facebook Ireland for the processing of that data," the court said in a statement.

The CJEU reasoned that a page admin was a joint data controller because it could control how people's data is used. Through the Facebook Insights tool, the admin could ask for information on the demographics, interests and locations of the page's audience.

"The judgment confirms my view that there must not be gaps in responsibility under data-protection law. This means specifically that all administrators of Facebook Pages have to ensure that they and Facebook conform to their respective obligations under data protection law," said Marit Hansen, the Schleswig-Holstein data-protection commissioner.

"This is particularly important with regard to the information obligations: transparency is required for the processing of data concerning all users, whether they are member of Facebook or non-members."

Seeing as the case dates back to 2011, the ruling refers to the data-protection law that was in force at the time, which was the Data Protection Directive of 1995, rather than the 2016 General Data Protection Regulation (GDPR) that superseded it in late May of this year. However, the principle carries across regardless.

See: IT pro's guide to GDPR readiness (free PDF)

So, how much does this ruling change for organizations operating fan pages on Facebook? The answer is nuanced.

According to the Berlin-based lawyer Niko Härting, since 2011, many companies such as Facebook and Google have begun offering contracts to their marketing customers, such as fan-page operators, or Google Analytics users.

The contracts maintain that where people's data is concerned, the platform is just the data processor and the marketing customer is the data controller, with the primary responsibility for the protection of personal data.

However, the marketing customer's status as controller has never before been established in a ruling by the EU's top court. And to top it off, this ruling says the relationship is one of controller and controller, not controller and processor.

"All those controller-processor agreements do not work anymore," said Härting.

"In future they have to be controller-controller agreements which, by chance, are regulated by the GDPR. There was no explicit regulation for joint controller agreements in the past, and many of my colleagues have been wondering what to do [about this new element of the GDPR]. The [court] provides the answer to this.

"For the whole online marketing world, this has potentially far-reaching effects because they have to go back to the standard contracts that they just revised for the GDPR," he added. "They have to revise them again."

However, the lawyer noted that the CJEU had stressed that joint controllership does not mean fan-page admins are as responsible as Facebook is for the platform's data-protection practices.

"If your data has been mishandled in connection to the fan page, you can turn to the operator of the fan page, but the operator can turn to Facebook and say, 'This is mainly your responsibility'," Härting explained.

The ruling also holds that the Schleswig-Holstein privacy regulator has jurisdiction over the activities of Facebook Ireland, the social network's European base, in Germany.

However, previous CJEU rulings have already addressed this sort of jurisdictional point, most notably the Google Spain ruling that established the so-called 'right to be forgotten' from search listings.

The GDPR also sets up mechanisms to make it easy for people to complain about a company's behavior to their local data-protection authority, no matter where the company in question is based.

Hansen, the head of the Schleswig-Holstein watchdog, has strong words about the amount of time it took for this case to get a judgment from the CJEU. She said it is important that courts refer questions to the court sooner rather than later.

"Swift adjudication is paramount for legal certainty. Legal proceedings on these essential concepts of data-protection law must be fast-tracked," she said.

"Some instances of abuse of personal data, such as Cambridge Analytica, could perhaps have been avoided if all German or, better yet, all European Facebook page administrators had ensured compliance with EU data protection law in 2011."

Previous and related coverage

GDPR attacks: First Google, Facebook, now activists go after Apple, Amazon, LinkedIn

Just days after the new law comes into force, privacy activists add more tech giants to their list of GDPR targets.

Google, Facebook hit with serious GDPR complaints: Others will be soon

Facebook nemesis Max Schrems is behind the first challenges to US giants under new European data privacy law.

What is GDPR? Everything you need to know about the new general data protection regulations

General Data Protection Regulation, or GDPR, is coming. Here's what it means, how it'll impact individuals and businesses - and how to prepare for it.

Facebook makes GDPR push with new data privacy settings

Here's how the social media giant is updating privacy policies ahead of the EU's new data law.

Facebook moving 1.5 billion users away from GDPR protection

Facebook is making changes that will prevent non-European users previously under European laws from being protected by the General Data Protection Regulation.

Editorial standards