(CN) – Facebook should be held liable, an adviser to Europe’s highest court recommended Tuesday, for not disclosing that its website stores personal data from visitors to user fan pages.
The appeal arose after a German data-protection authority known as the Landeszentrum ordered the private education company Wirtschaftsakademie to deactivate its fan page on Facebook.
Regulators claimed that Facebook was collecting and processing the personal data of anyone who visited the fan page, but that neither the Wirtschaftsakademie nor Facebook conveyed this to visitors of the fan page.
The Wirtschaftsakademie argued on appeal that it is not responsible for Facebook’s data processing or installation of cookies.
Germany’s Federal Administrative Court in turn referred the case to the European Court of Justice, seeking insight as to whether operators of Facebook fan pages have a responsibility under the EU’s Data Protection Directive.
Advocate General Yves Bot recommended Tuesday that, when it comes to data processing, the Luxembourg-based body find joint liability for Facebook and the operators of its fan pages.
“Admittedly, a fan page administrator is first and foremost a user of Facebook, one that makes use of Facebook’s tools so as to gain better visibility,” the 34-page opinion states. “Nevertheless, that fact does not mean that the fan page administrator cannot also be regarded as responsible for the phase of the data processing which is the subject of the dispute in the main proceedings, that is to say, the collection of personal data by Facebook.”
In recommending shared liability, Bot noted that the Wirtschaftsakademie ultimately determines the means and purposes of that data processing.
“By having recourse to Facebook for the publication of its information offering, a fan page administrator is subscribing to the principle that the personal data of visitors to his page will be processed for the purpose of compiling viewing statistics,” the opinion states. “Even though a fan page administrator is not, of course, the designer of the ‘Facebook Insights’ tool, he will, by having recourse to that tool, be participating in the determination of the purposes and means of the processing of the personal data of visitors to his page.”
Bot also emphasized the closely related objectives pursued by administrators of fan pages like the Wirtschaftsakademie and service providers such as Facebook Inc.
“The Wirtschaftsakademie wishes to obtain viewing statistics for the purpose of managing the promotion of its activities, and to obtain those statistics the processing of personal data is necessary,” the opinion states. “That same data processing will also enable Facebook better to target the advertising which it publishes on its network.”
Bot’s opinion concludes with an endorsement of the authority of German regulators, here the Landeszentrum, to penalize an entity incorporated abroad, Facebook Ireland, which bears sole responsibility for Facebook’s data collection and processing in the EU.
While Facebook Germany is responsible only for the promotion and sale of advertising space and other marketing activities directed toward German residents, Bot noted that Facebook Ireland’s data-collecting activities — namely the installation of cookies to track fan-page visitors — “is specifically intended to enable Facebook better to target the advertisements which it publishes.”
Thus, “that data processing must be regarded as taking place in the context of the activities in which Facebook Germany engages in Germany,” Bot wrote.
“Given that social networks such as Facebook generate much of their revenue from advertisements posted on the web pages set up and accessed by users, it must be concluded that the activities of the joint controllers Facebook Inc. and Facebook Ireland are indissolubly linked to those of an establishment such as Facebook Germany,” he continued.
Bot concluded that Article 4(1)(a) of the EU’s data-protection directive deliberately allows, “in cases where a controller has several establishments within the European Union, the application of multiple national legislative systems for the protection of personal data to the processing of the personal data of residents in the Member States concerned, so as to ensure effective protection of their rights in those Member States.”