Administrator of a fan page on a social network is a ‘controller’ under the EU Data Protection Directive
The Chambers News, Legal News section reported on the administrator of a fan page on a social network is a ‘controller’ under the EU Data Protection Directive on the 10th of July 2018. The article reports on a company registered under German laws that set up a fan page on Facebook with the intention to obtain anonymous statistical information on the characteristics and habits of visitors to the fan page via a function called “Facebook Insights”. The information is collected by means of evidence files (‘cookies’) which Facebook makes available free of charge under non-negotiable conditions of use.
The German data protection regulator ordere the company to deactivate the fan page or face a penalty payment in 2011 on the basis that neither the Company nor Facebook informed visitors to the fan page personal data was collected about the visitors via cookies. The matter was referred to the European Court of Justice (‘ECJ’) by the Federal Administrative Court of Germany for interpretation of a number of issues on this matter raised under the EU Data Protection Directive.
According to the Chambers News, the ECJ confirmed that Facebook Ireland was a controller as well as the Company and therefore jointly responsible for the processing of the personal data. The Company was responsible for determining the purposes and means by which Facebook Ireland processed the personal data of those visiting the fan page. Even though hosted by Facebook Ireland, the Company was benefitting from the fan page and was subject to obligations of the EU Data Protection Directive. The ECJ further stated that fan pages on Facebook can also be visited by persons who are not Facebook users therefore do not have a user account on Facebook. In that case, it was suggested that the fan page administrator’s responsibility for processing of personal data is even greater since mere visit to the fan page automatically triggered the processing of personal data.
This case emphasises the necessity to have adequate privacy notices in place setting out how processing (including cookies) will occur. This case is also critical for any company and businesses that have an influence over how personal data is processed could be bound as data controller, not limited to the use of social media. Consideration should be duly given to this case-law by companies as they may in fact be data controllers and ought to ensure compliance with the relevant GDPR provisions and the Data Protection Act 2017 of Mauritius.
Please go to the Chambers News, Legal News to read the full article.
Source: Chambers News, Legal News
Photo by William Iven on Unsplash