Case C-210/16 and joint liability for third party processing activities
June 5th, 2018 saw the the Court of Justice of the European Union (CJEU) issue their final judgment in Case C-210/16. The case focuses on the liability issues surrounding the use of third party platforms for commercial activities. More specifically the Court were asked to answer questions in relation to the use of Facebook fan pages.
Without wanting to regurgitate the entire case (you can read the judgment here) the Court was asked if a company using a Facebook fan page could be considered as liable for the processing of personal data by Facebook of data subjects who visited that page.
Those familiar with the case will have read the formal Opinion of Advocate General Yves Bots of the CJEU when it was published last October where he states:
I conclude from the foregoing that, in circumstances such as those of the dispute in the main proceedings, the administrator of a fan page on a social network such as Facebook must be regarded as being responsible for the phase of personal data processing consisting in the collection by that social network of data relating to people who visit the fan page.
In other words, by facilitating the collection of personal data as a result of setting up the Fan Page, the Administrator is seen as a joint controller.
Unsurprisingly, the final judgment by the Court stands by that Opinion, ruling that:
Article 2(d) of Directive 95/46 must be interpreted as meaning that the concept of ‘controller’ within the meaning of that provision encompasses the administrator of a fan page hosted on a social network.
There are some very interesting consequences of the ruling, not least being that as a joint controller the administrator of the fan page becomes jointly liable for the processing activities of Facebook and as a joint controller can be the subject of a regulatory complaint or litigation directly and independently of Facebook.
This is potentially a very dangerous situation for Adminstrators because whereas litigating against Facebook may seem unlikely due to costs; the same might not be true about an Administrator of a fan page which might be a much smaller and less well resourced organisation than Facebook and therefore a much more attractive candidate for litigation.
Furthermore, even if the Administrator removes their fan page they have no knowledge or control of any further processing of data subjects whose data Facebook holds as a result of visiting said page; but could still potentially be liable as a controller who originally determined the means of processing (collection) for Facebook’s ongoing activities after the fact.
Of course one must also assume that the Judgment should apply to other platforms such as corporate pages on LinkedIn, corporate Instagram accounts, corporate Twitter accounts etc.; as these are all situations where the Administrator has facilitated the collection (which is a processing activity) of personal data by those platforms just as the Facebook scenario considered by the Court.
As such, there is a significant risk in the use of these third party platforms by organisations due to the legal liability they inherit as a result; and organisations should do their due diligence to determine whether or not these platforms are suitable places to conduct their business. In many cases (and this is certainly the position we take with our clients) it would be ill-advised to do so.
There were some other interesting points made in the Judgment — in particular with regards to the powers of Supervisory Authorities which re-iterate points made in C‑131/12 (Google Spain “Right to be forgotten”); and determining where an organisation is established for the purposes of supervisory oversight and enforcement.
One could also argue that the Judgment can be applied horizontally for any processing which is facilitated by an Organisation, not just those situations which arise from setting up assets such as Facebook fan pages and other examples listed above
For example, if you embed third party assets within your Organisation web page, you are effectively facilitating the processing of personal and communications data by those third parties as per the GDPR and ePrivacy Directive and therefore should be considered as a Joint Controller in these circumstances also.
Thankfully this is not a question which we will need to wait long for case law to answer as Case C-40/17 (FashionID) looks at this issue specifically and a judgment is expected within the next 12 months.
Indeed Case C-40/17 is referenced by Yves Bots in his Opinion above where he states:
In my opinion, there is also no need to draw an artificial distinction between the situation in question in the present case and that in Case C‑40/17, Fashion ID.
That case concerns the situation in which the manager of a website embeds in its website a programming code (in this instance, Facebook’s ‘Like’ button) of an external provider (Facebook) which, when activated, transmits personal data from the computer of the website user to the external provider.
In the dispute which has given rise to that case, a consumer protection association has made a complaint against the company Fashion ID for having enabled Facebook, by embedding in its website the ‘Like’ function provided by the Facebook social network, to access the personal data of users of that website without their consent and in breach of the obligations to provide information laid down in the provisions on the protection of personal data. Thus, the issue arises of whether the fact that Fashion ID enables Facebook to access the personal data of users of its website means that that company may be classified as a ‘controller’ within the meaning of Article 2(d) of Directive 95/46.
I fail to see any fundamental difference between the position of a fan page administrator and that of the operator of a website that embeds in its website a programming code of a provider of web tracking services, thus enabling the transmission of data, the downloading of cookies and the collection of data for the benefit of the provider of the web tracking services all without the knowledge of the Internet user.
Social plugins enable website operators to use certain social networking services on their own websites in order to increase their website’s visibility, for example by embedding in their websites Facebook’s ‘Like’ button. Like fan page administrators, operators of websites with embedded social plugins can benefit from the ‘Facebook Insights’ service and obtain precise statistical information about the users of their website.
As happens when a fan page is visited, visiting a website that contains a social plugin will trigger the transmission of personal data to the provider in question.
In my opinion, in such circumstances, like the administrator of a fan page, the manager of a website that contains a social plugin should, to the extent that it has a de facto influence over the phase of data processing which involves the transmission of personal data to Facebook, be classified as a ‘controller’ within the meaning of Article 2(d) of Directive 95/46.
It is expected that the final Judgment in Case C-40/17 will echo the Facebook fan page judgment; and indeed any ruling to the contrary would be in direct conflict with this recent Judgment which would not be a desirable position for the CJEU to take (and would not be consistent with their behaviour historically).
It stands to reason that both cases combined mark the need for a paradigm shift in the way organisations conduct their activities when it comes to the use of third party services and platforms; in that, if they continue to use these services and platforms without conducting due diligence they are creating a significant compliance risk and that; choosing a platform simply because it has a large userbase is a poor basis for such a decision and consideration should be prioritised to include an evaluation of the lawfulness of the processing activities of said third parties.
This is a good thing, as it means that in order to continue to offer such services, these third parties will need to change their behaviour to fully comply with European law — if they fail to do so, organisations will simply cease the adoption of these services and platforms leading to a shrinking of the market share of these dominant players and making room for the emergence of more privacy friendly alternatives (a market which is already seeing significant investment and growth); which can only be considered as a win/win for data subjects and their fundamental rights.
Taking all of this into consideration, I would urge that my readers take the time to seriously evaluate their own decisions on the use of such platforms and services and take the relevant steps to both limit their risk and protect the fundamental rights of their data subjects.