The Court of Justice of the European Union (CJEC) has ruled that Facebook and the operator of a Facebook page are equally responsible for the protection of visitorsÂ personal data. Each must inform visitors on how personal data is processed.
In Case C-210/16: UnabhÃ¤ngiges Landeszentrum fÃ¼r Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH the CJEU explained that the German company Wirtschaftsakademie Schleswig-Holstein (WSH) provides educational services by way of a Facebook fan page.
By way of ÂFacebook InsightsÂ, administrators are able to obtain anonymous visitor data. The data is collected via cookies on the Facebook page. It allows a Âuser codeÂ to be stored and matched with connection data.
The UnabhÃ¤ngiges Landeszentrum fÃ¼r Datenschutz SchleswigHolstein (data protection authority for Schleswig-Holstein, Germany) got involved in 2011 and ordered WSH to disable the Facebook page. The aforementioned data protection authority claimed that users of the page had not been informed by either WSH or Facebook on how the personal data would be processed and collected.
WSH subsequently went to the German courts and claimed that it could not be recognised as the data processer for data that was being processed by Facebook. Furthermore, WSH claimed that it had not asked Facebook to process the personal data. WSH submitted that the data protection authority had the wrong person, it should have gone after Facebook.
The Federal Administrative Court of Germany asked the CJEU to analyse Directive 95/46 (on data protection), the results are as follows:
The CJEU confirmed that Facebook US and subsidiary Facebook Ireland are data ÂcontrollersÂ and therefore responsible for the processing of personal data of visitors to Facebook.
The CJEU then went on to state that WSH is also a data ÂcontrollerÂ. To that end, WSH and Facebook are jointly liable for the processing of the data. The Court explained that because an administrator uses a platform provided by Facebook it is not excused from compliance with data protection laws.
So there we go, Facebook page administrators are jointly liable for data protection alongside Facebook.
Read the full judgement here: http://curia.europa.eu/juris/documents.jsf?num=C-210/16