ECJ rulings give sharper contours to the concept of joint responsibility
The ECJ ruling of June 5, 2018 – Ref.: C-210/16 – concerned Facebook fan pages: a company sets up a Facebook fan page. Facebook collects data on access to the website and provides the company with this data in aggregated form. The company has no access to the data and cannot influence this data processing.
The ECJ assumed joint responsibility of the website operator and Facebook for the data processing operations carried out, as a joint decision was taken on the intended data processing. A joint decision requires a legal or actual influence on the data processing of another company. For the assumption of actual influence, it was sufficient if a company could influence the creation of target groups or determine other parameters for an advertising campaign. It is not necessary that the company can actually access the personal data. The indirect possibility to decide on the data processing is sufficient. In this specific case, it was already sufficient to be able to request anonymized reports from Facebook about the accesses to the fan page.
In the judgment of July 10, 2018 – C-25/17 – the ECJ addressed, inter alia, the joint responsibility of the Jehovah’s Witness community and its members in proclamation activities and held that the existence of joint responsibility does not necessarily imply equivalence of responsibility. Furthermore, it is not a requirement that each of the controllers also have access to the personal data in question.
These decisions generally give reason to examine contractual arrangements with regard to the need for joint responsibility provisions.
For operators of a Facebook Fanpage, it should be added that, although Facebook published supplementary provisions (“Insights Supplement”) and information (“Insights Information”) on September 11, 2018 in response to pressure from the supervisory authorities, this was intended to enable the controller to comply with its obligations under Article 26 of the GDPR.