EU Court Says Blame Is Shared for Facebook Privacy Gaffes

(CN) – A German education entity that benefitted from Facebook’s collection of user data failed to persuade the EU’s top court Tuesday that it had no share in the blame.

Facebook’s data center in Pineville, Oregon.

Wirtschaftsakademie Schleswig-Holstein came under fire in its homeland seven years ago when a government agency dedicated to data protection ordered it to deactivate a fan page it administrated on Facebook.

Using a free tool called Facebook Insights, Wirtschaftsakademie was able to obtain statistical data on users who visited its page, but German regulators found that the page failed to disclose Facebook’s use of cookies for data-collection purposes.

After the Wirtschaftsakademie challenged its sanction, however, Germany’s Federal Administrative Court asked the European Court of Justice to determine whether Facebook alone should be deemed responsible for processing of personal data.

The Wirtschaftsakademie noted that it had not commissioned Facebook to process the data, after all, nor could it influence the social media giant in any way.

On Tuesday, the Grand Chamber of the Luxembourg-based court held that joint liability was proper.

“The fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data,” the unsigned opinion fro the 15-judge court states.

Tuesday’s ruling also emphasizes that it is possible for non-Facebook users to visit fan pages.

“In that case, the fan page administrator’s responsibility for the processing of the personal data of those persons appears to be even greater, as the mere consultation of the home page by visitors automatically starts the processing of their personal data,” the ruling continues.

Tuesday’s ruling aligns largely with the recommendation of the court’s advocate general last year.

It also quotes Advocate General Yves Bot’s observation “that the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data.”

“On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case,” the ruling states.

The ruling closes with affirmation that German regulators are allowed to probe Facebook for data misuse even though the company’s EU base is in Ireland. Germany can exercise its powers of intervention with respect to the entity that Facebook “established in its territory without first calling on the supervisory authority of the other Member State to intervene,” according to the ruling.

Facebook voiced disappointment with the ruling in a statement through an unidentified spokesperson.

“Businesses of all sizes across Europe use internet services like Facebook to reach new customers and grow,” the spokesperson said. “While there will be no immediate impact on the people and businesses who use Facebook services, we will work to help our partners understand its implications. We are compliant with applicable European law and as part of our preparations for GDPR, we have further improved our privacy policies, controls and tools to make them clearer.”

GDPR is an abbreviation for the General Data Protection Regulation, which has only been in force in the EU since May 25, 2018.

Facebook emphasized that the case involving the Wirtschaftsakademie was brought under the old data-protection directive, and that the GDPR has since clarified various points of jurisdiction while also introducing rules that ensure transparency between  businesses and internet users.

A spokesman for the Wirtschaftsakademie referred a request to comment to a representative for the Kiel Chamber of Commerce for the Schlewswig-Holstein region.

“From the point of view of the European Court of Justice, data processing is primarily the responsibility of Facebook, while the operators of fanpages are merely involved,” said Marcus Schween, a legal expert at the Schleswig-Holstein Chamber of Commerce. The chamber’s statement was provided originally in German.

Schween called it disproportionate and unlawful to target individual fan page operators, since national authorities can turn to Facebook directly.

“This is appropriate, because it is much more effective to conduct data protection disputes directly with Facebook itself,” Schween said.

In instances where there are legitimate violations of data-protection rules, “Facebook alone can turn them off,” Schween added.

Operators of Facebook fan pages, on the other hand, have no way to influence Facebook data processing, he said.

Schween also emphasized the importance of the trade union getting involved.

“For a small company [to be involved in] such a dispute, especially over the duration of so many years, simply was not a viable option,” Schween said. “Companies in Schleswig-Holstein would have been effectively excluded from the rapid development that social networks have undergone in recent years – a considerable competitive disadvantage.”

%d bloggers like this: