Administrator of Facebook fan page held to be data controller
Is the administrator of a fan page on Facebook a "controller" for the purposes of the Data Protection Directive (95/46/EC) (DPD)?
The background
A German company that offers education and training services established a Facebook fan page that allowed it to view general analytical information via the 'Facebook insights' tool. In essence, Facebook would gather statistical data regarding the visitors to the company's fan page and would share this anonymised information with the company. The company would also have Facebook place targeted ads on the fan page. Under this arrangement, the company did not receive or collect any personal data; only Facebook was collecting personal information.
However, the company did not alert any of the visitors to its fan page that their personal data would be collected in order to produce the analytical information and advertisements, constituting a breach of the Data Protection Directive. Due to this, the German Data Protection Authority (DPA) (the Schleswig-Holstein) ordered the company to deactivate its fan page.
The company subsequently challenged this order in the German courts, making the point that Facebook was in fact the controller of the data, not the company. By virtue of this, they argued that the German DPA could not make an order against them; they should in fact make an order against Facebook (or more specifically, Facebook Ireland). The German courts agreed with the view of the company and characterised Facebook Ireland as the Controller.
The Court then referred the matter to the ECJ for an opinion on whether or not a DPA can make an order against a non-controller.
The decision
The ECJ rejected the very basis of the question, finding that the company was in fact a data controller, jointly responsible for the processing of data with Facebook Ireland. By virtue of being an administrator of the fan page, the company was responsible for determining the 'purposes and means' under which Facebook Ireland would process the data. It was held that even though Facebook operated the platform upon which data was collected, the company was benefitting from the page and accordingly was subject to the obligations of the DPD.
Why is this important?
This ruling makes it clear that the administrator of a fan page hosted on a social media platform can be considered a controller (or joint controller), particularly where the administrator is responsible for deciding the purposes for which data will be processed or if the administrator gains some form of benefit from the collection and processing of the data. More importantly, the ruling emphasises the need for suitable privacy/cookie notices to be in place that set out how the processing will take place.
Any practical tips?
From the perspective of a business using a social media fan page for marketing purposes and which involves the collection of data, the key message is that you will need to make sure that you have communicated appropriate privacy notices. After all, this case was brought due to a regulatory finding that the administrator of the fan page failed to have a privacy notice in place.