Page operators on Facebook are having problems! Court of Justice of the European Union announces that the fan page operators are jointly responsible.
“THIS is mega-fuck,” a site operator friend of mine just wrote to me. According to a press release from the Court of Justice of the European Union today, operators of a Facebook fan page are jointly responsible with Facebook for processing the personal data of visitors to their page! What are the consequences of this ruling?
What it was about: Facebook collects information about users, stores IPs and sets cookies. However, visitors to Facebook pages cannot consent or object to this anywhere. Since this is currently hardly technically feasible, one can now assume that there will be great uncertainty among the site operators. Therefore, in our opinion, it is very important at this moment that both politicians and Facebook as the operator of the platform say CLEAR words about what is going on .
Considerations...
In order to at least benevolently comply with the ruling, site operators could add the data protection declaration under “Info”. You link them either to your own or to Facebook's. This would have already fulfilled a GDPR-compliant obligation to provide information. It is also clear that data cannot simply be deleted by site operators and even this is regulated in the GDPR with the sentence “As far as it is technically possible and within financial limits”. The problem, however, is still the lack of an opt-out option. The GDPR is rather vague in some places and some lawyers and courts will still have to deal with it.
But it is important to note here: the GDPR is NOT responsible for this ECJ ruling. This decision dates back to a case from 2011! The decision is still based on the old EU data protection directive, which no longer applies. Here it becomes interesting to what extent the ECJ's statements can be transferred to the GDPR.
In detail, and precisely BECAUSE the press release only appeared a few minutes ago, we are reproducing without comment the entire press release from the Court of Justice of the European Union, which is based on a previous legal dispute that began in 2011. In 2011, the Independent State Center for Data Protection (ULD) in Kiel asked companies in the state (including the Schleswig-Holstein Business Academy) to shut down their Facebook pages.
Here is the press release:
The data protection authority of the Member State in which this operator is established may, in accordance with Directive 95/46, take action both against it and against the Facebook subsidiary established in that Member State. The Schleswig-Holstein Business Academy is a company specializing in the field of education. It offers, among other things, educational services via a fan page on Facebook at the address www.facebook.com/wirtschaftsakademie. The operators of fan pages such as the Business Academy can use the Facebook Insight function, which Facebook makes available to them free of charge as an indispensable part of the user relationship, to obtain anonymized statistical data regarding the users of these pages.
This data is collected using so-called cookies, each of which contains a unique user code that is active for two years and which Facebook stores on the computer hard drive or other storage medium of the fan page visitor. The user code, which can be linked to the registration data of users who are registered with Facebook, is collected and processed when the fan pages are accessed.
By decision of November 3, 2011, the Independent State Center for Data Protection Schleswig-Holstein - as the control body responsible under Directive 95/46 for monitoring the application of the regulations issued by Germany to implement this directive in the territory of the federal state of Schleswig-Holstein - ordered the Business Academy to deactivate their fan page. According to the Independent State Center for Data Protection, neither the Business Academy nor Facebook informed visitors to the fan page that Facebook collects personal data concerning them using cookies and then processes this data.
The business academy filed an administrative lawsuit against this decision with the administrative court in Germany and claimed that the processing of personal data by Facebook could not be attributed to it and that it had not commissioned Facebook to process data that it controlled or could influence. From this, the business academy concluded that the Independent State Center should have taken action directly against Facebook and not against them.
Against this background, the Federal Administrative Court (Germany) asks the Court to interpret Directive 95/46. In its judgment delivered today, the Court first states that, in the present case, there is no doubt that the American company Facebook and, as far as the Union is concerned, its Irish subsidiary Facebook Ireland, are deemed to be "responsible for the processing" of the personal data of the European Union Facebook users and the people who have visited the fan pages maintained on Facebook are to be considered “responsible persons”. Because these companies primarily decide on the purposes and means of processing this data.
The Court then finds that an operator such as the Wirtschaftsakademie must be regarded as responsible within the Union, together with Facebook Ireland, for the data processing in question. Such an operator is involved in deciding on the purposes and means of processing the personal data of visitors to its fan page through the parameterization it carries out (including in accordance with its target audience and the objectives of controlling or promoting its activities).
In this regard, the Court points out that the fan page operator can, in particular, request demographic data about its target group - and thus the processing of this data - (including trends in the areas of age, gender, relationship status and professional situation), information about lifestyle and the Interests of its target audience (including information about the purchases and online purchasing behavior of visitors to its site, as well as the categories of goods or services that interest them most) and geographical data that informs it where to carry out special promotions or organize events and generally enable him to make his information offering as targeted as possible.
According to the Court, the fact that an operator of a fan page uses the platform set up by Facebook to make use of the associated services cannot exempt him from complying with his obligations in the area of personal data protection. The Court emphasizes that the recognition of joint responsibility between the operator of the social network and the operator of a fan page maintained on that network in relation to the processing of personal data of visitors to that fan page contributes to ensuring a more comprehensive protection of the social network, in accordance with the requirements of Directive 95/46 To ensure the rights that people who visit a fan page have.
Furthermore, the Court finds that the Independent State Center was competent to ensure compliance with the rules on the protection of personal data in German territory of all the powers it has under the German provisions implementing Directive 95/46, not only in relation to them the business academy, but also towards Facebook Germany.
If a company established outside the Union (such as the American company Facebook) has several branches in different Member States, the supervisory body of a Member State is also responsible for exercising the powers conferred on it by Directive 95/463 in relation to a branch situated in the territory of that Member State company if, according to the intra-group distribution of tasks, on the one hand, this branch (here Facebook Germany) is solely responsible for the sale of advertising space and other marketing activities in the territory of the Member State concerned, and on the other hand, it has exclusive responsibility for the collection and processing of personal data for the entirety territory of the Union is the responsibility of a branch located in another member state (here Facebook Ireland).
The Court further states that if the supervisory body of a Member State (here the Independent State Center in Germany) intends to take action against a body established in the territory of that Member State (here the Business Academy) for breaches of the provisions on the protection of personal data issued by were committed by a third party who is responsible for the processing of this data and has its registered office in another Member State (here Facebook Ireland), which exercises the powers of influence under Directive 95/464, this supervisory body is responsible for the lawfulness of such data processing regardless of the to assess the control body of the latter Member State (Ireland) and to exercise its powers of intervention over the body established on its territory, without first requesting intervention from the control body of the other Member State.
Source: https://curia.europa.eu
If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:
📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.
Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!
* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!
Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )


