Press Release: Privacy co-responsibility for organizations that embed Facebook

2. July 2018

Rechtsexperten des Forschungsverbunds „Forum Privatheit“ beleuchten die langfristigen Auswirkungen des EuGH-Urteils zu Facebook-Fanpages: Neben sozialen Netzwerken gehören auch Suchmaschinen, Messenger- und Kurznachrichten-Dienste auf den Prüfstand.

On 5 June 2018, the European Court of Justice (ECJ) announced its ruling in the legal dispute between the Independent Centre for Data Protection Schleswig-Holstein (ULD) and the Wirtschaftsakademie Schleswig-Holstein GmbH. The subject of the legal dispute was an order issued by the ULD to the Wirtschaftsakademie to deactivate its Facebook fan page because Facebook inadmissibly collected personal data from visitors to this fan page and processed it to produce visitor statistics.
It was questionable whether, in addition to Facebook, the Wirtschaftsakademie as the operator of the fan page should also be regarded as the person responsible for data processing within the meaning of data protection law. This was affirmed by the court. The use of Facebook as a platform for providing the fan page does not release the operator from data protection obligations. Whether the fanpage operator has access to the collected personal data of the social network is irrelevant.
Effects of the ruling
"The ECJ ruling has a major impact on companies, authorities and other organisations that use Facebook offers for their purposes. They become jointly responsible for all related Facebook data processing practices. Since they cannot influence these, but are responsible for them, they can no longer use Facebook without risk," states Prof. Dr. Alexander Roßnagel, spokesman for the "Forum Privatheit" and a jurist at the University of Kassel.
In its ruling, the European Court of Justice represents a broad interpretation of the concept of the person responsible under data protection law. Its responsibility is to ensure the greatest possible protection of data subjects during the processing of their personal data. Therefore, it is not only the social network that is responsible for data processing, but also the organisation that uses Facebook for its purposes (as in the decided case for a fan page). This is especially true if third parties who are not Facebook members themselves are induced to use Facebook. The organization and Facebook are both jointly responsible, as they each determine the purposes and means of processing the personal data of those concerned. The operator of the fan page cannot withdraw his or her position vis-à-vis the affected parties on the grounds that he or she is merely a user of the service offered by Facebook.
An organization that uses Facebook offers for its own purposes thus meets all the obligations that a data protection officer has to fulfil. According to the Basic Data Protection Ordinance, those responsible must jointly contractually determine in a transparent form which functions they assume and how they fulfill their data protection obligations. In particular, the rights of data subjects can also be asserted against the organisation. "This improves the position of the users concerned. In addition, the ruling of the European Court of Justice has made it unmistakably clear that there is no gap in the responsibility for the processing of personal data in these cases either," says Marit Hansen, Data Protection Commissioner for the State of Schleswig-Holstein.
This shared responsibility also affects liability. For example, under the Basic Data Protection Regulation, any data controller involved in a data processing operation is liable for damage caused by an unlawful processing operation. Exemption from liability is possible only if it is actively demonstrated that there is no liability whatsoever for the circumstance which caused the damage. There is therefore a presumption of fault in relation to all those jointly responsible - the burden of proof lies with them.
Orders issued by a data protection supervisory authority can be directed both against the organization that uses Facebook for its purposes and against the operator of the social network. Ultimately, this also applies to the potentially drastic sanctions that supervisory authorities can impose under the Basic Data Protection Regulation.
Conclusions for practice
"The clarification by the ECJ is to be welcomed in the sense of effective data protection. Anyone who incorporates offers from social networks into his organisational communication is in any case jointly responsible for all data processing initiated by him. Those who do not want to take any risks must either be sure that the social network does not commit any violations of the basic data protection regulation with these data processing practices or avoid these offers", summarises Roßnagel. "Just like social networks, offers such as search engines, messenger and short message services also need to be put to the test.
In the Privacy Forum, experts from seven scientific institutions deal with issues relating to the protection of privacy in an interdisciplinary, critical and independent manner. The project is coordinated by Fraunhofer ISI. Further partners are Fraunhofer SIT, the University of Duisburg-Essen, the Scientific Center for Information Technology Design (ITeG) of the University of Kassel, Eberhard Karls University Tübingen, Ludwig Maximilian University Munich and the Independent State Center for Data Protection Schleswig-Holstein. The BMBF supports the Forum Privatheit in order to stimulate public discourse on the topics of privacy and data protection.


Press Release avialable for Download
Press Release

Sprecher „Forum Privatheit“:
Prof. Dr. Alexander Roßnagel
Universität Kassel
Projektgruppe verfassungsverträgliche Technikgestaltung (provet)
Wissenschaftliches Zentrum für Informationstechnik-Gestaltung (ITeG)
Tel: 0561/804-3130 oder 2874

Projektkoordination „Forum Privatheit“:
Dr. Michael Friedewald
Project Coordinator „Forum Privatheit“
Fraunhofer-Institue for Systems and Innovation Research
Competence Center New Technologies
Tel.: 0721 6809-146

Press and Communication „Forum Privatheit“:
Barbara Ferrarese, M.A.
Press and Communication „Forum Privatheit“
Fraunhofer-Institue for Systems and Innovation Research
Tel.: +49 721 6809-678