Case C-210/16, Wirtschaftsakademie Schleswig-Holstein – Facebook Fan Page visitor data

Organisations and celebrities who use social media can ask Facebook for a ‘Fan Page’. Visitors to that Fan Page will then have their personal data taken and processed by Facebook, which in turn will send the Fan Page-holder anonymised statistical data about who visits the web page. The two main legal questions here are: can a German data protection agency require that a German organisation stops using its Fan Page when Facebook breaches German privacy law? And is it a defence for the institution to turn around and say that it is not processing visitors’ data because Facebook and its cookies do all this, and they do so under the regulatory supervision of the Irish Data Protection Commissioner?

Background
A ‘Fan Page’ is a type of web page that companies and celebrities can set up on Facebook. Holders of a Fan Page are not only able to reach out to people via Facebook’s social media but they also get the statistical data about who visits their Fan Page.

To generate that statistical information, Facebook adds a cookie to the user’s page counter. The cookie contains an ID number, and the cookie is active for a period of two years. Users, who are registered with Facebook, have their data processed every time they visit pages on Facebook, including the Fan Pages.

In this case, the claimant is an educational institution that is run by three chambers of commerce in a region of Germany. The institution has a Fan Page. However, in 2011 the data protection agency in its region required it to disable its Fan Page. The agency explained that it thought that a Fan Page infringed Germany’s data processing laws. The institution did not agree with regulator’s interpretation of the law. It pointed out that it was not responsible for the data processing. The matter was put before the local judge.

After five years of litigation, the matter washed up at Germany’s highest court for adminisrative law, the Bundesverwaltungsgericht.

The judges have heard legal argument on a complex of issues which include: who is the data controller; who is responsible for the data processing when the main head quarters of Facebook is in Ireland but the decisions are made by the parent company in the US; what if anything can a local data protection office do against local companies where Facebook infringes local data protection law; or is that a matter for the Data Protection Commissioner in Ireland?

The legal authorities cited in this case include several judgments of the CJEU:

Mention was also made of a German case that is currently pending at the CJEU:

Prof. Berlit and the four other judges of the Bundesverwaltungsgericht did not know how to apply EU law correctly and therefore decided to make a preliminary reference to the CJEU.

Questions Referred
The questions have yet to be published on the Curia website.

Comment
The Advocate General’s Opinion in Breyer was handed down on 12 May 2016. It is not yet available in English but my unofficial translation of the first part of his conclusion reads:

“1. Pursuant to Article 2(a) of the Directive, a dynamic IP address with which a user has gained access to a website from a supplier of electronic media services constitutes personal data when an internet service provider has the supplementary details which, together with the dynamic IP address, make it possible to identify the user.
2. …”

Update – 18 July 2016
According to today’s Official Journal (OJ [2016] C260/18), the Bundesverwaltungsgericht has asked:

1. Is Article 2(d) of Directive 95/46/EC […] to be interpreted as definitively and exhaustively defining the liability and responsibility for data protection violations, or does scope remain, under the ‘suitable measures’ pursuant to Article 24 of Directive 95/46/EC and the ‘effective powers of intervention’ pursuant to the second indent of Article 28(3) of Directive 95/46/EC, in multi-tiered information provider relationships for responsibility of a body that does not control the data processing within the meaning of Article 2(d) of Directive 95/46/EC when it chooses the operator of its information offering?

2. Does it follow a contrario from the obligation of Member States under Article 17(2) of Directive 95/46/EC to stipulate, in cases where data processing is carried out on the controller’s behalf, that the controller ‘must … choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out’, that, where there are other user relationships not linked to data processing on the controller’s behalf within the meaning of Article 2(e) of Directive 95/46/EC, there is no obligation to make a careful choice and no such an obligation can be derived from national law?

3. In cases in which a parent company based outside the European Union has legally independent establishments (subsidiaries) in various Member States, is the supervisory authority of a Member State (in this case, Germany) entitled under Article 4 and Article 28(6) of Directive 95/46/EC to exercise the powers conferred under Article 28(3) of Directive 95/46/EC against the establishment located in its territory even when this establishment is solely responsible for promoting the sale of advertising and other marketing measures aimed at the inhabitants of this Member State, whereas the independent establishment (subsidiary) located in another Member State (in this case, Ireland) is exclusively responsible within the group’s internal division of tasks for collecting and processing personal data throughout the entire territory of the European Union and hence in the other Member State as well (in this case, Germany), if decisions about data processing are in fact taken by the parent company?

4. Are Article 4(1)(a) and Article 28(3) of Directive 95/46/EC to be interpreted as meaning that, in cases in which the controller has an establishment in the territory of one Member State (in this case, Ireland) and there is another, legally independent establishment in the territory of another Member State (in this case, Germany), whose responsibilities include the sale of advertising space and whose activity is aimed at the inhabitants of that State, the competent supervisory authority in this other Member State (in this case, Germany) may direct measures and orders implementing data protection legislation also against the other establishment (in this case, in Germany) not responsible for data processing under the group’s internal division of tasks and responsibilities, or are measures and orders only possible by the supervisory body of the Member State (in this case, Ireland) in whose territory the entity with internal responsibility within the group has its registered office?

5. Are Article 4(1)(a) and Article 28(3) and (6) of Directive 95/46/EC to be interpreted as meaning that, in cases in which the supervisory authority in one Member State (in this case, Germany) takes action against a person or entity in its territory pursuant to Article 28(3) of Directive 95/46/EC on the grounds of failing to exercise due care in choosing a third party involved in the data processing process (in this case, Facebook), because this third party is in violation of data protection legislation, the active supervisory authority (in this case, Germany) is bound by the appraisal of data protection legislation by the supervisory authority of the Member State in which the third party responsible for the data processing has its establishment (in this case, Ireland) meaning that it may not arrive at a different legal appraisal, or may the active supervisory authority (in this case, Germany) conduct its own examination of the lawfulness of the data processing by the third party established in another Member State (in this case, Ireland) as a preliminary question prior to its own action?

6. Where the possibility of conducting an independent examination is available to the active supervisory authority (in this case, Germany), is the second sentence of Article 28(6) of Directive 95/46/EC to be interpreted as meaning that this supervisory authority may exercise the effective powers of intervention conferred on it under Article 28(3) of Directive 95/46/EC against a person or entity established in its territory on the grounds of their joint responsibility for data protection violations by a third party established in another Member State only and not until it has first requested the supervisory authority in this other Member State (in this case, Ireland) to exercise its powers?

Update – 20 September 2016
The right of Facebook to be sued only in Ireland is now also at stake in a fresh preliminary reference from the Austrian Supreme Court.

Update – 23 September 2016
Part of the information contained in the update of 20 September has now been moved; see further, Case C-498/16, Schrems – a Facebook consumer or simply in the business of privacy?