Earlier this month the ECJ published a preliminary ruling finding the fan page admin jointly responsible with Facebook for the personal data of the visitors. Although the decision refers to the previously enforceable EU Data Protection Directive, the new rule paves the way for GDPR and social media practice, since the definition of the processor has not been altered.
The dispute had arisen in 2011 when the the data-protection authority of Schleswig-Holstein ordered an educational academy, under the name of Wirtschaftsakademie, to delete its facebook fan page because it failed to inform its users that personal data had been collected and processed via cookies. In particular, Wirtschaftsakademie used the Insights tool provided by Facebook which provided demographic data of its audience following the processing of personal information such as age, sex, relationships, occupation, information on the lifestyles and centres of interests etc. Based on the anonymised demographic data the admin is able to customise its Facebook content targeting the relevant audience.
Wirtschaftsakademie argued before the German administrative courts that it was not responsible for the data collected by Facebook without its instructions. However, the ECJ after being asked by the national court decided that the fan page admin and facebook are jointly responsible as controllers of the personal data. The fact that the platform used to process the personal data was provided by Facebook cannot justify an exemption of the joint liability.
Nonetheless, in this dispute with crucial GDPR and social media implications, the European Court clarified that the responsibility of the two controllers, who are involved in different stages of the process, may not be equal. Therefore the level of responsibility of each operator should be assessed after taking all relevant circumstances of the case into consideration.