BVerwG: Data protection authority can prohibit operation of a Facebook fan page

The subject of the appeal proceedings was an order issued by the Schleswig-Holstein data protection supervisory authority requiring the plaintiff, an educational institution based in Kiel, to deactivate the fan page it operated on Facebook under the scope of the Data Protection Directive (Directive 95/46/EC). The decision complained that Facebook, when accessing the fan page, would access the personal data of internet users, without it being able to access the internet users in accordance with the provisions of the Telemedia Act on the nature, scope and purposes of the collection, as well as a right of objection to the creation of the of a usage profile for advertising or market research purposes. An objection of the user to the applicant as operator of the fan page, declared, remains without consequences in the absence of appropriate technical influence.

The lawsuit was successful in the lower courts. The Higher Administrative Court rejected the applicant’s responsibility under data protection law on the ground that it did not have access to the data collected. The defendant objected to this in the present review proceedings.

Following a referral by the Federal Administrative Court (decision of February 25, 2016 – BVerwG 1 C 28.14), the Court of Justice of the European Union (ECJ) ruled in its decision of June 5, 2018 – C-210/16 – that the operator of a fan page is jointly responsible for the data processing carried out by Facebook. This is because by operating the fan page, it allows Facebook to access the data of the fan page visitors.

On the basis of this binding requirement, the Federal Administrative Court annulled the appeal judgment and referred the case back to the Schleswig-Holstein Higher Administrative Court. In order to enforce the high level of data protection as quickly and effectively as possible by the Data Protection Directive, the defendant was able to be guided by the idea of effectiveness in the selection of several data protection controllers and the applicant is not responsible for the production of data protection-compliant conditions when using its fan page. He did not have to take action against one of Facebook’s subdivisions or branches, because it would have been subject to significant factual and legal uncertainties due to Facebook’s unwillingness to cooperate. If the data processing that takes place when the fanpage is called in proves to be illegal, the deactivation order is a proportionate means, since the applicant has no other means of establishing data protection-compliant conditions.

As to the illegality of the data processing operations complained of, the Court of Appeal must clarify the facts. The legality of the data processing operations that take place when the plaintiff fanpage is called upon is in accordance with the requirements of the data protection law in force at the time of the last administrative decision, in particular the provisions of the Telemedia Act, which applicant as an operator.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.