The operator of a company presence (fan page) maintained on the social network Facebook can be obliged to shut down its fan page if the digital infrastructure provided by Facebook has serious data protection deficiencies. This was decided today by the Federal Administrative Court in Leipzig.
The subject of the appeal proceedings was an order of the Schleswig-Holstein data protection supervisory authority by which the plaintiff, an educational institution based in Kiel, had been obliged to deactivate the fan page it operated on Facebook under the application of the Data Protection Directive (Directive 95/46/EC). The notice objected to the fact that Facebook accessed personal data of internet users when the fan page was called up, without informing them in accordance with the provisions of the Telemedia Act about the type, scope and purposes of the collection as well as a right to object to the creation of a user profile for purposes of advertising or market research. An objection declared by the user to the plaintiff as the operator of the fan page remained inconsequential due to the lack of corresponding technical possibilities of influence.
The action was successful in the lower courts. The Higher Administrative Court rejected the plaintiff's responsibility under data protection law because it had no access to the collected data. The defendant challenged this in the present appeal proceedings.
Following a referral by the Federal Administrative Court (decision of 25 February 2016 - BVerwG 1 C 28.14), the Court of Justice of the European Union (CJEU) ruled on 5 June 2018 - C-210/16 - that the operator of a fan page is jointly responsible for the data processing carried out by Facebook. By operating the fan page, the operator enables Facebook to access the data of the fan page visitors.
On the basis of this binding requirement, the Federal Administrative Court overturned the appeal judgment and referred the legal dispute back to the Schleswig-Holstein Higher Administrative Court. In order to enforce the high level of data protection intended by the Data Protection Directive as quickly and effectively as possible, the defendant could be guided by the idea of effectiveness when selecting among several data protection controllers and could, without any error of judgement, hold the plaintiff responsible for establishing data protection-compliant conditions when using its fan page. The plaintiff did not have to take action against one of Facebook's subdivisions or branches because this would have entailed considerable factual and legal uncertainties due to Facebook's unwillingness to cooperate. If the data processing that takes place when the fan page is called up proves to be unlawful, the deactivation order is a proportionate remedy because the plaintiff has no other possibility to establish data protection-compliant conditions.
On the question of the unlawfulness of the objected data processing operations, a more detailed clarification of the factual circumstances by the court of appeal is required. The lawfulness of the data processing operations that take place when the plaintiff's fan page is called up must be measured against the requirements of the data protection law in force at the time of the last decision by the authorities, in particular the provisions of the Telemedia Act, to which the plaintiff is subject as operator.
Judgment of 11 September 2019 - BVerwG 6 C 15.18 -
Lower courts:
OVG Schleswig, 4 LB 20/13 - Judgment of 04 September 2014 -
VG Schleswig, 8 A 14/12 - Judgment of 09 October 2013
Source: Press release of the Federal Administrative Court No. 62/2019 of 11.09.2019
