‘Cruise control for the social media age, or stuck in second gear?’ The issue of defining data controllership is “particularly thorny” says AG, and looking to become thornier as complete control is becoming less and less common in practice

Last month, Advocate General (AG) Bot of the Court of Justice of the EU (CJEU) delivered an opinion which, although non-binding in nature, could potentially have far-reaching consequences for the development of data protection law in the EU. The non-binding opinion concerns a number of questions brought before the CJEU in relation to case C-210/16, which concerns a dispute between a regional German data protection authority (DPA) and a private education company, Wirtschaftsakademie Schleswig-Holstein GmbH (an education company). The main issue for the AG to consider was whether the German DPA was entitled to utilise its powers of intervention under the Data Protection Directive (DPD) against the education company, despite the fact that the latter was considered by the German courts not be a ‘data controller’ for the purposes of the definition of this concept under Article 2(d) DPD (“the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data”).

The request for a preliminary ruling concerned the legality of an order made by the DPA against the education company, which required the latter to deactivate a fan page hosted by Facebook Ireland, the entity that Facebook Inc has designated the controller of personal data processing by it in the EU. (A Facebook fan page is a special Facebook user account that individuals and businesses to set up in order to promote themselves, usually for the purposes for commercial purposes).

The DPA had alleged that, by failing to inform end users visiting the fan page that their data would be automatically collected by Facebook via cookies installed on their computing equipment, the fan page infringed a variety of provisions of German data protection law implementing the DPD. These data were collected via Facebook for the purposes of compiling anonymous statistical information, which would benefit the education company, and for the purposes of refining Facebook’s targeted behavioural advertising endeavours. By contrast, the education company argued that it was not responsible for the activities carried out by Facebook, including the automatic installation of cookies on end users’ computing equipment, and therefore it was not a data controller in respect of such personal data processing, and so it should not be subject to the exercise of the powers of the German DPA.

After being contested in the German Administrative Court and the Higher Administrative Court, the German Federal Administrative Court agreed that the education company was not a controller because, it concluded, the organisation had no power to influence the collection of personal data or the purpose of any subsequent processing in this context. However, in its request for a preliminary ruling to the CJEU, the Court asked for clarification on six questions, which can be summarised as follows:

1. Are data controllers the only parties capable of incurring liability and responsibility for data protection violations? Alternatively, do DPAs have jurisdiction to exercise their powers of intervention under Art.28 DPD in relation to undertakings that are not data controllers per the DPD’s definition?
2. Under Art.17(2) DPD, is it possible to infer a possible duty for making the same careful choice in respect of other multi-tiered information provider relationships, other than those between controllers and processors? (This provision specifies that in sub-contractual relationships, where a data controllers delegates data processing activities to a dedicated data processor, the controller is under a duty to choose a processor which provides sufficient guarantees in respect of technical security and organisational measures in respect of the processing to be carried out).
3. Where an undertaking is primarily based outside the EU (e.g. Facebook), but has subsidiaries established within the territories of the EU (e.g. Facebook Germany and Facebook Ireland), is the DPA of one EU Member State entitled to use its powers of intervention against a subsidiary based in its territory but not responsible for making determinations in respect of the purposes of the collection and processing of personal data throughout the EU, whilst another subsidiary of the same undertaking based in another Member State has this responsibility?
4. Where a controller has an establishment in one Member State responsible for determining the purposes of acts of personal data collections and processing (e.g. Facebook Ireland), and another legally independent establishment in another Member State whose responsibilities are restricted to marketing activities targeted at the inhabitants of that Member State (e.g. Facebook Germany), is the DPA of the latter Member State entitled to exercise its powers of intervention against the establishment in its territory, or are such powers exercisable only by the DPA of the Member State where the determinations regarding the collection and processing of personal data are undertaken?
5. In cases where the DPA based in one Member State exercises its powers of intervention against a person/entity in its territory (on the grounds of failing to exercise due care in choosing a third party located in another Member State to be involved in personal data processing activities due to that third party being an infringer of the DPD), is the DPA bound by the appraisal of a DPA from the Member State where the third party is based, or can the DPA of the first Member State come to its own independent conclusion?
6. Where the DPA of a Member State is in a position to conduct an independent investigation, does Art.28 DPD permit it to exercise its powers of intervention against a person/entity established in its territory on the grounds of an alleged data protection violation for which they are jointly responsible with a third party established in another Member State, or must it first request that a DPA of the Member State where the third party is based exercise its own powers before it is permitted to act?

In response to the first two questions, the AG argued that both were premised on the mistaken belief that a Facebook fan page could not be a controller for the purposes of the DPD. This, he suggested, was fundamentally wrong. Whilst acknowledging that, first and foremost, the administrator of a Facebook fan page is an individual end user of Facebook, the AG said that this in itself is not enough to preclude it being responsible for the collection of user data by Facebook itself. Drawing on the definition of controller contained in Art.2(d), the AG argued that so long as the administrator of a fan page has influence over, or can “determine”, the purpose and means of any data collection and processing linked to end users visiting the page, they will be a controller for the purposes of the DPD.

So why exactly, on the facts of this case, did the AG conclude that the administrator of this particular fan page was definitely a controller? In short, this conclusion was primarily based on two main factors.

• Firstly, the collection and subsequent processing of user personal data by Facebook would not have been possible if the administrator had not created the fan page. Accordingly, the creation of the fan page by the administrator represented an agreement to Facebook’s means and purposes of processing personal data, and therefore signified that the administrator had participated in the “determination” of those ways and means.
• Secondly, due to technological insight tools offered by Facebook, fan page administrators are able to influence the specific way in which Facebook itself uses its data collection tools in relation to visitors to their fan page. This can allow the administrator to effectively define a personalised audience, and designate categories of users whose personal data will be collected. This, according to the AG, must also be considered as participating in the “determination” of the means and purposes of an act of data processing.

In circumstances similar to the immediate case, therefore, Facebook fan page administrators, as well as administrators of fan pages on similar platforms, must be considered joint data controllers along with Facebook. In reaching this conclusion the AG drew an analogy to help support his conclusion: if an undertaking were to make its own website and utilised similar tools to those made available through Facebook for the purposes of managing fan pages, it would undoubtedly be considered a controller. Accordingly, he argued, as there was no “fundamental difference” between the two scenarios, it would be wrong for the law to treat them differently!

In response to the third and fourth questions, the AG drew attention to the fact that, as mentioned, Facebook Ireland was Facebook’s designated data controller in the EU, whereas Facebook Germany was only responsible marketing endeavours aimed at German users. He then suggested that in order to answer the question of whether a DPA based in one Member State is entitled to exercise its powers of intervention in relation to processing activities for which a party in another Member State is responsible, it is necessary to first determine whether the DPA in the first Member State has the right to apply its own national law to the data processing in question.

Turning to the facts of this case, the AG opined that the German DPA was indeed entitled to exercise its powers of intervention against Facebook Ireland, despite the latter being based in another Member State. Specifically, he alluded to Art.4(1)(a) DPD specifying that acts of personal data processing will be governed by the law of the Member State in which said processing is carried out in “the context of the activities of an establishment” of a controller on the territory of that Member State. In other words, the applicability of the national law of any Member State to an act of personal data processing requires the controller 1) to have an “establishment” in that Member State, and 2) the processing must be carried out “in the context of the activities of that establishment”. With both these points in mind, the AG argued that as Facebook Germany has a registered office in Hamburg through which it carries out its business, it undoubtedly should be considered an establishment for the purposes of Art.4(1)(a).

In reaching this conclusion, the AG also drew on previous decisions of the CJEU in the Google Spain and Weltimmo cases (to reminder readers, posts about the latter decisions on this blog can be found here and here). The AG laid emphasis on the fact that – as Facebook Germany was responsible for marketing to German Facebook users – the personal data processed by it in relation to this must be considered as being “in the context” of Facebook Germany’s engagement with its users.

So, what does this mean for DPAs who find themselves in this context? The AG concluded that that the German supervisory authority indeed had the power to apply its own national law to the proceedings and could exercise all its powers of intervention to ensure that German law was applied by Facebook on German territory. In other words, neither the place where the processing is carried out nor where the controller is established are decisive in determining which national law applies to data processing activities.

Moreover, he argues that the suggestion that Art.4(1)(a) should be interpreted as requiring data controllers to have regard for the legislation of one Member State only was contrary to the wording of the DPD (specifically Recital 19, which mentions the possibility of the application of multiple national legislations to data processing activities), but also:

• an inability for DPAs to target data controllers in other Member States would neuter their competency under Art.28 to uphold data protection law (as it is only through targeting the controller in a particular data processing operation through which any alleged infringements could be effectively combatted), and
• allowing DPAs to impose measures on controllers that are not established in their own Member State would not represent the DPA overstepping its power, as the purpose of all DPAs is to ensure compliance with data protection law in all Member States.

Regarding the fifth and sixth questions, the AG concluded that a DPA must be able to use its powers of intervention in an autonomous way unfettered by any obligations to first correspond with, or defer to, another DPA.

The AG’s opinion is noteworthy for a number of reasons. Most strikingly, it perhaps represents a notable broadening of the notion of a data controller, a concept that already enjoys wide definition. If the AG’s approach were to be followed in the final CJEU judgement due imminently and adopted by the CJEU in future case law, this would seemingly open the door further to the possibility of individual users of social networking sites like Facebook to be categorised as controllers (a door the possibility of which has become to be wedged open under EU law in recent years), and therefore be made subject to the substantive tenets and provisions of the European data protection framework.

More generally, the AG’s expansive approach to the powers and abilities of DPAs regarding cross-border effects of personal data activities in the EU, as well as the applicability of national data protection law, may also raise interesting questions in relation to conflicts of laws and jurisdiction. What must also be kept in mind, however, is that after the GDPR replaces the DPD next May, the ‘One-Stop-Shop mechanism’ (discussed here by the influential Article 29 Working Party) will ensure that any regulatory action in relation to an alleged infringement of data protection law will be driven and overseen by the DPA located in an undertaking’s main EU establishment.

Meaning – after all that – if adopted, AG Bot’s approach on jurisdiction may be short-lived!

Henry Pearce