Facebook page operator responsible for visitors data protection

The Court of Justice of the European Union (CJEC) has ruled that Facebook and the operator of a Facebook page are equally responsible for the protection of visitors’ personal data. Each must inform visitors on how personal data is processed.

In Case C-210/16: Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH the CJEU explained that the German company Wirtschaftsakademie Schleswig-Holstein (WSH) provides educational services by way of a Facebook fan page.

By way of ‘Facebook Insights’, administrators are able to obtain anonymous visitor data. The data is collected via cookies on the Facebook page. It allows a ‘user code’ to be stored and matched with connection data.

The Unabhängiges Landeszentrum für Datenschutz SchleswigHolstein (data protection authority for Schleswig-Holstein, Germany) got involved in 2011 and ordered WSH to disable the Facebook page. The aforementioned data protection authority claimed that users of the page had not been informed by either WSH or Facebook on how the personal data would be processed and collected.

WSH subsequently went to the German courts and claimed that it could not be recognised as the data processer for data that was being processed by Facebook. Furthermore, WSH claimed that it had not asked Facebook to process the personal data. WSH submitted that the data protection authority had the wrong person, it should have gone after Facebook.

The Federal Administrative Court of Germany asked the CJEU to analyse Directive 95/46 (on data protection), the results are as follows:

The CJEU confirmed that Facebook US and subsidiary Facebook Ireland are data ‘controllers’ and therefore responsible for the processing of personal data of visitors to Facebook.

The CJEU then went on to state that WSH is also a data ‘controller’. To that end, WSH and Facebook are jointly liable for the processing of the data. The Court explained that because an administrator uses a platform provided by Facebook it is not excused from compliance with data protection laws.

So there we go, Facebook page administrators are jointly liable for data protection alongside Facebook.

Read the full judgement here: http://curia.europa.eu/juris/documents.jsf?num=C-210/16

share this Article

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on email

Recent Articles