In two recent decisions the CJEU has adopted a maximalist, and probably to many people a counter-intuitive, approach to the issue of the identification of joint data controllers – the effect the decisions is that a body can be a joint data controller of personal data even through it has no access to, and no right of access to, the personal data in question. Both cases were decided under pre-GDPR law, but changes introduced by the GDPR mean that they are likely to have a significant impact.
In the first case, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd (Case C-210/16), the CJEU considered the position of the administrator of a fan page on Facebook. The fan page in question had been set up by a company offering educational services and the processing of personal data occurred as a result of Facebook placing cookies on the computers and other devices of users visiting the fan page. The information obtained by Facebook through the use of the cookies was not made available to the company, save to the extent of the provision of some anonymised statistical data.
Article 5 (d) of Directive 95/46 defined a controller as “…the natural or legal person…which alone or jointly with others determines the purposes and means of the processing of personal data”. Applying that definition, the CJEU held that the company, as fan base administrator, took part in determining the purposes and means of processing. It did so because, when setting up the fan page, it set the parameters for Facebook’s processing – “…the creation of a fan page…involves the definition of parameters by the administrator; depending inter alia on the target audience and the objectives of managing and promoting its activities, which has an influence of the processing of the personal data for the purpose of producing statistics based on visits to the fan page…”. The company was therefore a joint data controller.
The second case, in which judgement was delivered a few weeks later, arose in a completely different factual context. The case, Tietosuojavaltuutettu (Case C-25/17), was concerned with personal data collected by individual Jehovah’s Witnesses in the course of door-to door preaching. The personal data in issue in the case could for practical purposes be divided into two: (i) the names and addresses of people who had said that they did not wish to have further visits – which was shared with the congregation of which the individual preacher was a member, so that an appropriate list could be drawn up so as to ensure that those people’s wishes were respected; and (ii) in relation to other people, notes taken for possible use in future visits – these were kept by, and available only to, the individual Jehovah’s Witness who had made the original visit and not shared with either the relevant congregation or the Jehovah’s Witnesses Community. The CJEU held that the Jehovah’s Witnesses Community was a joint data controller of both types of personal data. The explanation given for that conclusion was that: “ …the Jehovah’s Witness Community, by organising, coordinating and encouraging preaching activities of its members intended to spread its faith, participates, jointly with its members who engage in preaching, in determining the purposes and means of processing of personal data of the person contacted…”.
The CJEU fully recognised that it was taking a broad approach. In each case it sought to ‘mitigate’ the effect of the decisions by explaining that joint data controllers did not have equal responsibility in respect of the processing of personal data. In the Tietosuojavaltuutettu case, the CJEU said: “…the existence of joint responsibility does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case..”. Unhelpfully, the CJEU did not give any practical guidance on how to undertake that assessment nor did it give any clue as to the legal consequences of concluding that joint data controllers have “different levels of responsibility”.
The obvious and immediate consequence of the two decisions is that a considerable number of organisations which, up until now, had not considered themselves to be joint data controllers will have to review that assessment. But the implications go beyond this. Article 26 of the GDPR makes express provision for the position of joint data controllers. For present purposes there are two points worth highlighting.
The first is that joint data controllers are required to enter in to an “arrangement” to reflect their respective roles and relationships vis a vis data subjects. It might be thought that, in the context of civil society groups such as Jehovah’s Witnesses, this will introduce a degree of formalisation and bureaucratisation that does not sit easily with the purpose of such groups. By contrast, in the context of commercial activities such as that in the Facebook fan page case, it is tempting to wonder how much such an ‘arrangement’ will add to the protection of data subjects given that its terms are likely to be wholly determined by Facebook (which in any event is a data controller in these circumstances).
The second arises out of Article 26 (3) GDPR. This provides: “Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of each of the controllers”. If read literally, this seems to pull the rug out from underneath the feet of the ‘mitigation’ provided by the CJEU in the two cases - at least regards data subjects’ rights – since it, deliberately, makes no allowance for any difference of responsibility as between joint controllers.
Looking beyond the specific issue of the identification of joint data controllers, the two cases also serve to illustrate the very considerable emphasis that the CJEU will place on the rights of individual data subjects – it justified its conclusions in the two cases as being necessary to ensure “effective and complete protection” for data subjects and as contributing “to ensuring more complete protection of the rights of persons”. That emphasis will undoubtedly have an important impact on future data protection cases coming before the CJEU.