Controllership existentialism: recent CJEU case law on determining controllership and its implications for business
July 2019 | EXPERT BRIEFING | DATA PRIVACY
Navigating the world of European data protection law is not for the faint hearted. With multiple interacting pieces of legislation in force in each European Union (EU) Member State, even getting to grips with the underlying principles of the law can be a challenge.
On top of this, unfortunately, the law does not begin and end with the actual legislation. Once the basics have been mastered, it becomes necessary to understand the role of case law and how this adds further flesh to the legislative skeleton. One particular area which has seen movement in recent months is in relation to controllership – when a business is acting as a controller – and what this means for that business.
This article explores recent case law on this, to help identify the key learning points for businesses. In summary: a crucial determinant of whether a business is acting as a controller, or a joint controller, is whether the business ‘makes it possible’ for the collection and use of personal data to occur. However, this does not mean that each controller will have identical responsibilities, and the extent of a controller’s responsibility under law should be assessed based on the operations for which it decides the means and purposes of the processing of the personal data.
Firstly, a ‘controller’ for the purposes of the General Data Protection Regulation (GDPR) is an entity, which can be a natural or legal person, who processes personal data, which is personal information relating to an individual, for its own purposes. This means that a controller is essentially master and commander of the ‘data universe’ in which it operates. The controller decides what personal data it wants to collect, why it has collected it and how it will use it. If more than one controller collectively decides the ‘means and purposes’ of the processing, they will operate as ‘joint controllers’.
In contrast, a ‘processor’ is beholden to a controller for data protection purposes. Specifically, a processor can only use personal data in line with the instructions that it receives from a controller. This means that a processor is much more restricted in what it can do with personal data. It cannot make its own decisions, or suddenly decide to use the personal data for its own purposes, and it must, among its other obligations, return or destroy the personal data when its arrangement with the controller has come to an end.
As a starting point under EU data protection law, whether a business is acting as a controller or processor is a matter of fact. When determining data protection roles, it is important to ask: is the business controlling the means through which and the purposes for which the personal data is being used? Or, is the business only using this information on behalf of another party, which sets the parameters of use? If it is the former, the business is a controller. If it is the latter, the business is a processor.
However, depending on the underlying facts, this may not be a clear-cut distinction. In practice, this test can cause a number of headaches, not least because the direct obligations that a business will have to comply with under the GDPR will depend on its role in relation to the personal data in question. To assist, businesses should consider the clarifications provided by recent case law.
In the Jehovah’s Witness case, the Court of Justice of the European Union (CJEU) considered whether the Jehovah’s Witnesses Community was a joint controller of personal data that was collected by its members during their door-to-door preaching activities. In this case, while the Community itself did not have access to any of the information collected by its members, and did not require that its members collect information during their preaching activities, the CJEU still held that the Community could be considered a joint controller of this information. The reason given for this was that the Community “exerted influence” over the processing activities of its members for “its own purposes” and by so doing, participated in the determination of the purposes and means of that processing. Further, the collection of personal data by its members had been carried out to help achieve the objective of the Community, therefore the processing had been carried out “for the purposes of” the Community, and the Community had “encouraged, organised and coordinated” the preaching activities of its members.
This case demonstrates that access to personal data need not be the defining feature of a controller. Instead, a business should consider if it has “encouraged, organised and coordinated” the relevant processing activities, and whether the processing is carried out “for the purposes of” that business. The CJEU also made it clear that the existence of a joint controllership role does not necessarily imply equal responsibility for each of the controllers at all stages of the processing. Indeed, joint controllers “may be involved at different stages of that processing and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case”.
The Facebook Fan Page case adds further clarity to this discussion. In this case, the CJEU considered whether the administrator of a fan page, which was hosted on Facebook, was a joint controller of personal data collected by Facebook through that page. Again, in this case, the administrator did not itself have access to the personal data. Instead, when a user visited the fan page, Facebook placed cookies on the user’s device to collect personal data, which it then used to improve and enrich its advertising activities. In contrast, the fan page administrator only received anonymous, demographic data about page visitors.
Despite this, the CJEU found that the administrator was a joint controller of the personal data because the administrator had set up the fan page on Facebook and, by so doing, had given Facebook “the opportunity” to place cookies on visitors’ devices. Further, the administrator was able to determine the parameters and categories of data that would be collected and processed by Facebook, by defining the nature of the anonymous statistics that it wanted to receive about page visitors, through a specific filter choice. Taken as a whole, the CJEU found that the administrator contributed to determining, jointly with Facebook, the purposes and means of processing of the relevant personal data.
Building on the principles established under the Jehovah’s Witness case, the Facebook Fan Page case demonstrates that a crucial element of controllership is providing the opportunity for a party, either the business itself or a third party, to place cookies on an end user device. Similarly, if a business can exert influence over the types of information that may ultimately be collected by a third party, then this may be sufficient to demonstrate a controller role, even if that business does not have access to the data itself. Again, a joint controllership role does not automatically mean that the responsibility of each controller will be the same, and this should be assessed on the facts of the case.
Lastly, the Fashion ID case explored the ramifications of the Facebook ‘like’ button as a website plug-in. In this case, an online fashion retailer, Fashion ID, embedded the button on its webpage. When its visitors clicked on the button, Facebook harvested information about the user, regardless of whether that individual had a Facebook account. Again, the CJEU was asked to rule as to whether Fashion ID was a joint controller of this information, despite its inability to influence Facebook’s data processing operations.
The CJEU concluded that Fashion ID was a joint controller. Fashion ID “made it possible” for Facebook to collect information by embedding the plug-in in its website. Further, Fashion ID benefitted from the ‘like’ button, as it allowed Fashion ID to optimise the advertisements of its products, as its products became more visible on Facebook due to the ‘like’. Lastly, the CJEU considered that Fashion ID co-determined the parameters of the data collected by Facebook, simply by taking the decision to embed the plug-in in its website. Again, it was not relevant for the purposes of determining controllership that Fashion ID did not have access to the data itself, referred to by the CJEU as “fruits of joint labour”.
However, the CJEU did acknowledge a “deeper moral and practical dilemma” with its recent judgments concerning controllership based on whether or not a party “made it possible” for personal data to be collected. Taken to an extreme, this rationale could suggest that any party in a causal chain is a joint controller, for example an ISP for making the provision of the internet available to a user. To address this, the CJEU reinforced its earlier judgments relating to the differential responsibility, stating that a party’s responsibility would be limited to only “those operations for which it effectively co-decides on the means and purposes of the processing of the personal data”; and, as a result, in practice, this responsibility could be very limited.
In conclusion, case law has demonstrated that determining whether a business is a controller can boil down to considering whether that business “makes it possible” for the collection of personal data to occur. However, this is not the end of the story. The extent of a business’ responsibility under law should still be assessed on the operations for which it decides the means and purposes of the processing of the personal data.
Amy Lambert is an associate at Fieldfisher LLP. She can be contacted on +44 (0)207 861 4294 or by email: firstname.lastname@example.org.
© Financier Worldwide