ECJ, Directive 95/46/EC – Protection of Personal Data, Case C-210/16, Opinion of Advocate General: it is not only about Facebook

On 24/10/2017 has been published the Opinion of Advocate General Bot, in Case C-210/16 (Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v/ Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd, Vertreter des Bundesinteresses beim Bundesverwaltungsgericht).

The Case is about a request for a preliminary ruling, which concerns the interpretation of Articles 2(d), 4(1), 17(2) and 28(3) and (6) of Directive 95/46/EC, as amended by Regulation (EC) No 1882/2003 of 29 September 2003.

The Bundesverwaltungsgericht (German Federal Administrative Court) decided to refer the following questions to the ECJ for a preliminary ruling:

“‘1. Is Article 2(d) of Directive 95/46 to be interpreted as definitively and exhaustively defining the liability and responsibility for data protection violations, or does scope remain, under the ‘suitable measures’ pursuant to Article 24 of Directive 95/46 and the ‘effective powers of intervention’ pursuant to the second indent of Article 28(3) of Directive 95/46, in multi-tiered information provider relationships for responsibility of a body that does not control the data processing within the meaning of Article 2(d) of Directive 95/46 when it chooses the operator of its information offering?

2. Does it follow a contrario from the obligation of Member States under Article 17(2) of Directive 95/46 to stipulate, in cases where data processing is carried out on the controller’s behalf, that the controller ‘must ... choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out’, that, where there are other user relationships not linked to data processing on the controller’s behalf within the meaning of Article 2(e) of Directive 95/46, there is no obligation to make a careful choice and no such an obligation can be derived from national law?

3. In cases in which a parent company based outside the European Union has legally independent establishments (subsidiaries) in various Member States, is the supervisory authority of a Member State (in this case, Germany) entitled under Article 4 and Article 28(6) of Directive 95/46 to exercise the powers conferred under Article 28(3) of Directive 95/46 against the establishment located in its territory even when this establishment is solely responsible for promoting the sale of advertising and other marketing measures aimed at the inhabitants of this Member State, whereas the independent establishment (subsidiary) located in another Member State (in this case, Ireland) is exclusively responsible within the group’s internal division of tasks for collecting and processing personal data throughout the entire territory of the European Union and hence in the other Member State as well (in this case, Germany), if decisions about data processing are in fact taken by the parent company?

4. Are Article 4(1)(a) and Article 28(3) of Directive 95/46 to be interpreted as meaning that, in cases in which the controller has an establishment in the territory of one Member State (in this case, Ireland) and there is another, legally independent establishment in the territory of another Member State (in this case, Germany), whose responsibilities include the sale of advertising space and whose activity is aimed at the inhabitants of that State, the competent supervisory authority in this other Member State (in this case, Germany) may direct measures and orders implementing data protection legislation also against the other establishment (in this case, in Germany) not responsible for data processing under the group’s internal division of tasks and responsibilities, or are measures and orders only possible by the supervisory body of the Member State (in this case, Ireland) in whose territory the entity with internal responsibility within the group has its registered office?

5. Are Article 4(1)(a) and Article 28(3) and (6) of Directive 95/46 to be interpreted as meaning that, in cases in which the supervisory authority in one Member State (in this case, Germany) takes action against a person or entity in its territory pursuant to Article 28(3) of Directive 95/46 on the grounds of failing to exercise due care in choosing a third party involved in the data processing process (in this case, Facebook), because this third party is in violation of data protection legislation, the active supervisory authority (in this case, Germany) is bound by the appraisal of data protection legislation by the supervisory authority of the Member State in which the third party responsible for the data processing has its establishment (in this case, Ireland) meaning that it may not arrive at a different legal appraisal, or may the active supervisory authority (in this case, Germany) conduct its own examination of the lawfulness of the data processing by the third party established in another Member State (in this case, Ireland) as a preliminary question prior to its own action?

6. Where the possibility of conducting an independent examination is available to the active supervisory authority (in this case, Germany), is the second sentence of Article 28(6) of Directive 95/46 to be interpreted as meaning that this supervisory authority may exercise the effective powers of intervention conferred on it under Article 28(3) of Directive 95/46 against a person or entity established in its territory on the grounds of their joint responsibility for data protection violations by a third party established in another Member State only and not until it has first requested the supervisory authority in this other Member State (in this case, Ireland) to exercise its powers?’”

Advocate General Bot proposed that the ECJ answer the questions above as follows:

“(1) Article 2(d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of 29 September 2003 is to be interpreted as meaning that the administrator of a fan page on a social network such as Facebook must be regarded as being a controller, within the meaning of that provision, in so far as concerns the phase of personal data processing consisting in the collection by that social network of data relating to people who visit the fan page for the purpose of compiling viewing statistics for that fan page.

(2) Article 4(1)(a) of Directive 95/46, as amended by Regulation No 1882/2003, is to be interpreted as meaning that processing of personal data such as that at issue in the main proceedings is carried out in the context of the activities of an establishment of the controller on the territory of a Member State, within the meaning of that provision, when an undertaking operating a social network sets up in that Member State a subsidiary which is intended to promote and sell advertising space offered by that undertaking and which directs its activities toward residents in that Member State.

(3) In a situation such as that at issue in the main proceedings, in which the national law which applies to the processing of personal data in question is that of the Member State to which a supervisory authority belongs, Article 28(1), (3) and (6) of Directive 95/46, as amended by Regulation No 1882/2003, is to be interpreted as meaning that that supervisory authority may exercise of all the effective powers of intervention conferred on it in accordance with Article 28(3) of the directive against the controller, including where that controller is established in another Member State or even in a third country.

(4) Article 28(1), (3) and (6) of Directive 95/46, as amended by Regulation No 1882/2003, is to be interpreted as meaning that, in circumstances such as those in the main proceedings, the supervisory authority of the Member State in which the establishment of the controller is located is entitled to exercise its powers of intervention against that controller autonomously and without being required first to call on the supervisory authority of the Member State in which the controller is located to exercise its powers”.

The judgment of the ECJ in this Case will be of a high importance (comp. the Lindqvist Case, C-101/01)).

This major Case is not merely about Facebook and the correlative powers of national DPAs. It will also clarify more the concept of ‘controller’, the practice of tracking of browsing behaviour, profiling, and the practice of behavioral advertising in regard of the rules on the lawfulness of the processing of personal data.