Privacy, Data Protection and Retention
Data Protection Commissioner v. Facebook (Schrems II)
Closed Mixed Outcome
Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:
Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.
The Grand Chamber of the Court of Justice of the European Union issued a preliminary ruling holding that the administrator of a Facebook page was a joint controller with Facebook with respect to the processing of personal data of the individuals visiting the page. Wirtschaftsakademie, a private educational company, was held liable under German laws for actively and deliberately contributing to the collection of users’ personal data by employing a free Facebook tool that used cookies to generate anonymous statistical information about users visiting the page. The Court considered that the administrator took part in the determination of the purposes and means of the processing of personal data through various tools such as the use of filters to isolate demographic information. The Court further held that German law was applicable and the German supervisory authority was competent to exercise its powers in deactivating the page. As a final point, the Court stated that recognizing page administrators as controllers would ensure greater protection of the rights of those visiting the page.
Respondent, Wirtschaftsakademie Schleswig-Holstein GmbH (Wirtschaftsakademie), a private education company located in Germany, offered educational services by means of a fan page hosted on Facebook. The company regularly procured anonymous statistical information about users visiting the fan page using a feature offered by Facebook called ‘Facebook Insights’. In essence, Facebook Insights allows administrators to collect user information by means of cookies containing a unique user code, stored on visitors’ computers and processed on opening the fan page. Facebook provides this service free of charge under non-negotiable conditions of use.
In November 2011, the German supervisor authority Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD, the Applicant) directed the Respondent to deactivate the fan page it had set up. It claimed that both Wirtschaftsakademie and Facebook failed to inform the visitors to the fan page that they were collecting and processing data obtained by means of cookies. On a complaint by the Respondent, its claim that it was not responsible under German data protection laws for processing of data done by Facebook or by means of cookies installed by the social media platform was dismissed by ULD. Accordingly, by a decision dated December 16, 2011, Wirtschaftsakademie was held liable under German laws for actively and deliberately contributing to the collection of users’ personal data by Facebook, from which it obtained useful statistics to drive its business to profitability.
The Respondent appealed in the German Administrative Court (Verwaltungsgericht) against the judgment of the lower court. It contested the order on the ground that no liability of processing of data can be attributed to it under German laws, as it had not commissioned Facebook to process data, nor did it control or influence the personal data. The decision of the lower court was, however, annulled by the Administrative Court by the judgment dated October 9, 2013 as the Respondent did not fall within the ambit of ‘responsible entity’ under German laws and was not liable to be prosecuted.
Subsequently, the Higher Administrative Court (Oberverwaltungsgericht) and the Federal Administrative Court (Bundesverwaltungsgericht) dismissed ULD’s appeal against the judgment of the Administrative Court. Holding that adherence to a progressive procedure to prohibit processing of personal data was a requirement under German laws, the Court determined that an immediate prohibition by ULD was only valid in a sole circumstance where the data processing was unlawful ‘in its entirety’ [p. 6], which was not the circumstance in the present case. Further, the Administrative Court’s ruling that the Respondent was not a ‘responsible entity’ was also upheld by the appellate courts. Finally, ULD’s argument that Wirtschaftsakademie should be held responsible for utilizing an “inappropriate supplier” (i.e. Facebook) [p. 7] to create, host and maintain the site was also rejected by the Court. Given the valid concerns of the appellate forum on ULD’s power of intervention with respect to Facebook (ULD had moved an action against Facebook Germany when Facebook Ireland was responsible, on EU level, for collection and processing of data), the Court decided to stay the proceedings by referring the case to CJEU.
In the opinion issued by Advocate General Bot dated October 24, 2017, he emphasized that an information provider was not ‘meant to be able to absolve itself, by choosing a particular infrastructure provider, of the legal data protection obligations toward the users of its information offering that it would have had to meet if it had acted as a mere content provider’ [para. 65]. Thus, the fact that one party unilaterally determines the contractual terms cannot relieve the other party from controller responsibility. Had the administrator created its own website and processed data in the same manner, it would clearly be a controller with respect to that processing. Accordingly, he held that the fact that the administrator used a platform provided by Facebook could not, therefore, free the administrator from responsibilities as a controller.
The Grand Chamber of the Court of Justice of the European Union (CJEU) delivered a preliminary ruling on the matter. The principle question under consideration in the case concerned the lawfulness of ULD’s order against Wirtschaftsakademie to deactivate its Facebook fan page.
Under Directive 95/46/EC of the European Parliament on the protection of individuals with regard to the processing of personal data and on the free movement of such data, national supervisory authorities are required to ensure any processing of data by ‘controllers’ is carried out in accordance with the laws of Member states, so as to protect fundamental freedoms and the right to privacy. Under German Federal Law on Data Protection, the commissioning entity collecting, processing or using personal data is required to ensure implementation of appropriate organisational and technical measures. Supervisory authorities are entitled under German law to intervene and take measures to eliminate breaches.
After a dismissal of the appeal of ULD by the Higher Administrative Court and grant of stay by the Federal Administrative Court, the case was referred to CJEU for determination and grant of a preliminary ruling on the following set of questions:
It is important to note at this stage that the Federal Administrative Court, while declaring Wirtschaftsakademie as an entity outside the ambit of the Directive 95/46, had nevertheless noted the broad interpretative scope of the concept of ‘controller’, so as to afford adequate protection to the fundamental right to privacy.
In recalling the inherent objective of the EU Directive to secure a ‘high level of protection’ to fundamental rights and freedoms of natural persons, CJEU sought to answer the initial question by assessing whether the administrator ‘contributed, in the context of [the] fan page to determining, jointly with [Facebook], the purposes and means of processing the personal data of the visitors to the fan page’ [p. 9]. Referring to its earlier judgment in Google Spain v. Google (2014) C-131/12, it noted that the Directive adopts a broad definition of the term ‘controller’, defined to include ‘any natural/legal person, agency or any other body which alone or jointly with others determines the purposes and means of processing of personal data’ (Article 2(d) of the EU Directive) [p. 8].
Based on this definition, the Court concluded that the term ‘controller’ does not refer only to a single entity, but may concern several actors contributing to the process, with a liability attributable to each of them under the applicable data protection provisions. Thus, while Facebook Ireland was regarded as a primary controller under Article 2(d) of the EU Directive, the administrator of the fan page also contributes in the determination of purposes and means of processing personal data of the visitors on the fan page data and was, therefore, jointly responsible under the EU Directive.
CJEU’s decision to hold Wirtschaftsakademie accountable was premised on several reasons. First, a fan page administrator’s contract with Facebook to obtain statistics by using cookies Facebook places on the computer of the persons visiting the fan page involved the definition of parameters by the administrator, based on the characteristics of the audience and its objectives of managing and promoting its activities. This, in turn, influences processing of personal data. By using Facebook’s services, a fan page administrator subscribed to the fact that the visitors’ personal data would be processed in order to produce viewing statistics. The processing would not have occurred without the decision to create and operate the fan page.
Secondly, by utilising the filters made available by Facebook, the administrator can ‘define the criteria in accordance with which the statistics are to be drawn up and even designate the categories of persons whose personal data is to be made use of by Facebook’ [p. 9]. For instance, the administrator has the potential to target various demographic trends of its audience, including their age, sex, relationship, occupations, data on lifestyle choices, purchasing habits, interests, geographical data etc. Further, the fact that the administrator could influence the specific way in which the tool for compiling viewing statistics was used indicated controller responsibility. On these grounds, the Court considered the administrator to take part in the determination of the purposes and means of the processing of personal data of visitors on the page.
The Court clarified that the transmission of information by Facebook to the administrator in an anonymised form had no bearing on the outcome of the case, as the EU Directive does not mandate each of the joint controllers to have access to personal data. Consequently, the mere fact that the administrator uses the social media platform to benefit from its services was not enough to exempt it from the scrutiny under data protection laws.
On the second question concerning ascertainment of national law which applies in processing personal data, the Court laid down two conditions as stipulated under Article 4(1)(a) of the EU Directive – (i) the establishment of the controller must fall within the territory of the Member State of the supervising authority and (ii) processing of data must be carried out ‘in the context of activities’ of the establishment in question. While the first condition is satisfied by an ‘effective and real exercise’ of activity by means of stable arrangements (and not by simply setting up a branch/subsidiary with a legal personality), the second condition is fulfilled by a broad interpretation of the expression ‘in the context of activities of an establishment’ to ensure complete protection to fundamental rights [p. 12].
The application of the aforementioned ‘test’ led the Court to conclude that, first, Facebook Inc. had a permanent establishment in Germany (through its entity ‘Facebook Germany’ in Hamburg) responsible for promoting and selling advertising space in Germany. Secondly, the processing of personal data was carried out by Facebook Inc. jointly with Facebook Ireland. Since the activities of Facebook Germany from ads posted on web pages accessed by users formed a substantial part of its income, its activities were held to be ‘inextricably linked’ to the processing of personal data and were activities of an establishment within the meaning of Article 4(1)(a). The Court, therefore, held that German law was applicable and the supervisory authority ULD was competent to exercise its powers in deactivating the fan page of the Respondent.
Finally, with respect to the third set of questions, the Court answered them in the affirmative. ULD was held entitled to assess the lawfulness of the data processing at issue independently of the assessments made by Irish supervisory authority. The Court noted that there was no criterion in the EU Directive prioritizing governance of one supervisory authority over another, and a competent supervisory authority under its own national law cannot be obliged to adopt a conclusion arrived at by another supervisory authority, should an analogous situation arise.
Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.
The judgment presents a mixed outcome. The contours of the intersection of free speech and protection of personal data have always been hard to define. It is of key importance, however, to ensure data privacy does not compromise principles of free speech. In a strict sense, weaponising data protection laws to propel expression in cases that rely on or include personal data should be avoided. While international efforts to balance these fundamental rights are well developed, this case presents a worthy progress to the existing jurisprudence. The judgment strengthens the ability of supervisory authorities to intervene and protect expression while at the same time, adhering to the limitations of privacy laws and non-consensual processing of data. In time, as the practice of enforcing laws such as GDPR unfold, it remains to be seen whether the balance between two fundamental rights is met not just in laws, but in practice as well.
Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.
Case significance refers to how influential the case is and how its significance changes over time.
Let us know if you notice errors or if the case analysis needs revision.