EU Court: Facebook page administrators are jointly responsible for data processing

The European Court of Justice has ruled in a ruling that the administrator of a Facebook page, together with Facebook, must be regarded as responsible when it comes to the processing of personal data. Supervisors can address those administrators.

The European court states that there is no doubt that Facebook is responsible for the processing of personal data of visitors to pages on its social network. In the ruling, however, the judge also places the shared responsibility with the administrator of that page. This means that both parties must ensure the protection of personal data and that, for example, supervisors can also knock on the door of the administrators if they do not comply with privacy legislation.

The judge came to this conclusion because an administrator of a Facebook page can request certain information about the visitors to that page, for example about age, gender, profession, lifestyle and interests. He thereby processes personal data. In addition, the administrator also determines the purpose of this processing because he can influence the settings of his page, for example by setting filters. According to the Court, it does not matter that the administrator only gains insight into anonymized statistics, which were initially collected by Facebook with cookies.

The responsibility does not extend to Facebook users. The Court stated: “Although a Facebook user does not become co-responsible for the processing of personal data by this network by the mere use of a social network such as Facebook, it should be noted, on the other hand, that the administrator of a fan page on Facebook, by creating of such a page offers the possibility to place cookies on the computer or on any other device of the person who has visited the fan page, regardless of whether this person has a Facebook account.”

It is important that the Court emphasizes that this is a shared responsibility, but not necessarily an equal one. For example, the ‘level of responsibility’ must in any case be determined on the basis of the circumstances. The current case came to the European court because a German judge asked questions when assessing a case. In it, a German privacy regulator had ordered a company, Wirtschaftsakademie Schleswig-Holstein, to delete its Facebook page. The company objected to this decision, saying it was not responsible for the processing.

The concepts of controller and processing arise from privacy legislation and are explained in more detail in the recent article on the GDPR. The current lawsuit concerns the interpretation of the directive that has been replaced by the GDPR.