The operator of a fan page maintained on Facebook may be required to shut down its fan page if the digital infrastructure provided by Facebook has serious deficiencies under data protection law. This was decided today by the Federal Administrative Court in Leipzig.
The subject of the appeal proceedings was an order issued by the Schleswig-Holstein data protection supervisory authority requiring the plaintiff, an educational institution based in Kiel, to deactivate the fan page it operated on Facebook under the scope of the Data Protection Directive (Directive 95/46/EC). The decision complained that Facebook, when accessing the fan page, would access the personal data of internet users, without it being able to access the internet users in accordance with the provisions of the Telemedia Act on the nature, scope and purposes of the collection, as well as a right of objection to the creation of the of a usage profile for advertising or market research purposes. An objection of the user to the applicant as operator of the fan page, declared, remains without consequences in the absence of appropriate technical influence.
The lawsuit was successful in the lower courts. The Higher Administrative Court rejected the applicant’s responsibility under data protection law on the ground that it did not have access to the data collected. The defendant objected to this in the present review proceedings.
Following a referral by the Federal Administrative Court (decision of February 25, 2016 – BVerwG 1 C 28.14), the Court of Justice of the European Union (ECJ) ruled in its decision of June 5, 2018 – C-210/16 – that the operator of a fan page is jointly responsible for the data processing carried out by Facebook. This is because by operating the fan page, it allows Facebook to access the data of the fan page visitors.
On the basis of this binding requirement, the Federal Administrative Court annulled the appeal judgment and referred the case back to the Schleswig-Holstein Higher Administrative Court. In order to enforce the high level of data protection as quickly and effectively as possible by the Data Protection Directive, the defendant was able to be guided by the idea of effectiveness in the selection of several data protection controllers and the applicant is not responsible for the production of data protection-compliant conditions when using its fan page. He did not have to take action against one of Facebook’s subdivisions or branches, because it would have been subject to significant factual and legal uncertainties due to Facebook’s unwillingness to cooperate. If the data processing that takes place when the fanpage is called in proves to be illegal, the deactivation order is a proportionate means, since the applicant has no other means of establishing data protection-compliant conditions.
As to the illegality of the data processing operations complained of, the Court of Appeal must clarify the facts. The legality of the data processing operations that take place when the plaintiff fanpage is called upon is in accordance with the requirements of the data protection law in force at the time of the last administrative decision, in particular the provisions of the Telemedia Act, which applicant as an operator.
