Who's in control of online data? EU judgment applies broad approach when assessing who is a joint controller of personal data collected online

In a recent judgment, the Court of Justice of the European Union (“CJEU”) held that the administrator of a Facebook fan page was a joint controller of its visitors' personal data along with Facebook – a finding which suggests the CJEU may apply a broad approach when considering whether organisations are acting as joint controllers in relation to personal data collected online.

One of the German data protection authorities issued a decision against a company called Wirtschaftsakademie, which was operating a Facebook fan page. The data protection authority ordered that Wirtschaftsakademie must deactivate its fan page, on the basis that it had failed to inform its visitors that Facebook would collect and process their personal data using cookies. This was in breach of its obligations as a controller of the visitors' personal data.

Wirtschaftakademie appealed on the basis that it should not be considered to be a joint controller of visitors' personal data. Wirtschaftsakadamie did not have visibility of the relevant personal data – such information was only available to Facebook, and Facebook should be considered to be the sole controller. The German court referred the question of whether Wirtschaftsakademie was a controller to the CJEU. The CJEU confirmed that the administrator of a fan page on a social media site should be regarded as a joint controller. Previously, there was an assumption amongst many that a social media site would be the sole controller in these circumstances.

You can potentially be deemed to be a joint controller of personal data even if you don't have visibility of the relevant data

Under EU data protection law, a controller is the person or organisation which either alone, or jointly with others, decides the purpose and means of processing of personal data. CJEU's finding that administrators of fan pages are joint controllers was based on a number of factors, including the following:

• the administrator of a fan page gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page;
• administrators of fan pages are able to obtain certain anonymised statistical information from Facebook about visitors. They have the ability to define the criteria in accordance with which the statistics are drawn up and can designate the categories of persons whose personal data Facebook provides to them. In this respect, they therefore contribute to the processing of the personal data of visitors.
• although the statistical information was provided in anonymised form, production of that information was based on prior collection of unanonymised personal data using cookies.
• Wirtschaftsakademie was taking part in the purpose and means of processing of personal data of the visitors because it was able to define the parameters of the data that was being collected and processed.

In the judgment, the CJEU stated that: "By setting up its fan page, Wirtschaftsakademie has made an active and deliberate contribution to the collection by Facebook of personal data relating to visitors to the fan page, from which it profited by means of the statistics provided to it by Facebook".

One of the key points is that the CJEU may still consider you to be a joint controller of personal data, even if you don’t actually have any visibility of that data.

It's not just about fan pages

The implications of this ruling potentially extend beyond fan pages, particularly in relation to interactive entertainment businesses and other online platforms. Whenever your services interface with those of a third party, you should always think about whether you might be considered to be a joint controller in respect of personal data being collected and processed by that third party, and what the implications of this might be. You need to be particularly careful if the third party is collecting and processing users’ personal data via your services, and providing you with statistical or analytical data in return (even if the information you receive is not anonymous). Examples where this might potentially arise include the following:

• if you enable users to log into your services using their social media account details and you receive statistical or analytical information about those users from the social media organisations;
• if you embed third party services into your own platforms or websites and those third parties provide you with statistical or analytical data;
• If your game incorporates a third party software which provides you with analytical information such as game metrics and player behaviour data, even if you only ever see that information in anonymised form; or
• If you operate social media fan pages for your games.

Understanding data flows is key

You should take some time to think about whether you could be deemed to be a joint controller with those third parties and, if so, think about whether it would be appropriate to address this in your contractual relationships. Key to this is understanding your data flows - in other words, make sure you have a good understand what personal data is being collected, who is using it, whom it’s being shared with, and how it’s being used. This will enable you to make a better risk assessment and to take steps to address any risks. Get in touch with us if you are unsure about whether you are a joint controller of personal data, and, if so, what your compliance obligations are.