The powerful nature of the GDPR has instilled fear among businesses across the globe. As most companies rush toward compliance, some try to hide behind others. Just weeks after the GDPR came into effect, the European Court of Justice (ECJ) decided a case that made clear that businesses cannot avoid liability by hiding behind other companies.
The issue before the ECJ concerned a decision from 2011 when the German data protection authority ordered a company to shut down its Facebook page for failing to inform users of the processing and collection of their personal data.
What Sparked the Legal Issue?
To better understand this issue, it is best to break it down step by step. First, Facebook uses cookies to collect personal data about visitors to the company’s page. Second, the company (Facebook page administrator) obtains the anonymous statistical data about its visitors. Finally, the company tells Facebook to place targeted ads on its Facebook page.
Facebook’s Legal Issue
The central issue was whether the company using the Facebook page was a controller, despite that it never obtained or had any access to the personal information collected by Facebook’s cookies.
A controller is someone who determines the purposes and the means for the processing of personal data. The data protection authority maintained that the company was the “controller” of the personal data collected through its fan page; therefore, it was responsible. The company denied responsibility for Facebook’s processing of personal data and argued that any action should be brought against the social network.
Court’s Ruling
The Court held that the company was a “controller” and was jointly responsible with Facebook for the processing of data on its page. It reasoned that the administrator of the company’s page contributed to Facebook’s determination of the means and purposes of processing the visitors’ data. Specifically, the page administrator takes part in deciding what data to collect and how to process; the administrator defines a target audience and requests information about the lifestyles and interests of its visitors to the page. The Court stated, “[t]he fact an administrator of a fan page uses the platform provided by Facebook to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data.”
The Impact on FB Page Administrators Moving Forward
This decision highlights the need for page administrators and businesses to take additional steps to ensure GDPR compliance on their pages. The GDPR will fine businesses processing page visitors’ personal data with no lawful basis up to EUR 20,000,000 or 4% of the total annual worldwide turnover. Rather than accept the risk of noncompliance, let us help your business reach its compliance goals today.