The operator of a fan page on Facebook is also responsible for protecting visitors’ personal data and cannot hide behind the social network, the European Union’s highest court ruled on Tuesday.
The case stems from a dispute between a German fan page on Facebook which used the social network to store cookies on visitors’ hard drives to collect data about them.
When a German data protection authority ordered the operator of the fan page, an education company, to deactivate it because visitors were not informed about the collection of their personal data, the company argued it was not responsible for the processing of personal data by Facebook and that any action should be brought against the social network.
“According to the court, the fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data,” the Court of Justice of the European Union (ECJ) said in a statement about the ruling.
The administrator takes part in deciding what data to collect and how to process it, for example by defining a target audience and asking for demographic data or information on the lifestyles and interests of visitors to the page, the ECJ said.
The Luxembourg-based court also reaffirmed an opinion given by a legal adviser in October which said the German data protection authority had the power to take action against Facebook even though its European headquarters are in Ireland.
Facebook had argued only the Irish regulator had jurisdiction over its activities, but several other EU regulators have taken action against the company for allegedly breaching privacy legislation.
The ECJ said a regulator was entitled to exercise its powers against a company even if the responsibility for the collection and processing of data belonged to that company’s establishment in another member state – in this case Facebook Ireland.
The case pre-dated the entry into force two weeks ago of a new EU data protection regulation which introduces a “one stop shop” principle whereby companies only have to deal with the authority in the member state of their main EU establishment.