AG CJEU: Facebook must follow privacy rules of each Member State
On October 24th, 2017, an Advocate General of the CJEU, Mr Y. Bot, delivered his opinion in the case of Wirtschaftsakademie Schleswig-Holstein concerning the privacy of individuals on Facebook pages.
The Wirtschaftsakademie provides education and training services via a 'fan page' on Facebook Ireland. Visitors to that fan page were not warned that their personal data were collected by Facebook by means of cookies for so-called 'web-tracking'. When the German data protection authority ordered the Wirtschaftsakademie to comply with data protection rules the latter noted that Facebook was carrying out the data processing. Facebook said it complied with Irish legislation. According to AG Bot, Facebook, together with the Wirtschaftsakademie, must be regarded as the 'controller' of the data. Both Facebook and the Wirtschaftsakademie are jointly responsible for data processing as regards the fan page, as both are involved with the determination of the means and purpose of that data processing. Furthermore, as regards the applicable law, AG Bot pointed out that Data Protection Directive 95/46 does not include the country-of-origin principle so that each Member State may apply its own privacy rules. When a controller has several establishments within the EU, it may therefore be subject to the national data protection laws of multiple Member States. It should be noted that from 25 May 2018, the General Data Protection Regulation (GDPR) will institute a one-stop-shop mechanism whereby cross-border data processing will primarily be subject to the supervision of only one national data protection authority, being the authority for the place where the controller’s main establishment is located. The judgment of the CJEU in this case is expected in the first half of 2018.