A recent judgment of the European Court makes it clear that in many circumstances more than one party may be a joint data controller. Whilst the judgment pre-dates the GDPR, its consideration of what constitutes ‘control’ and ‘joint control’ remains good law under the GDPR. The judgment means that parties who may have considered themselves ‘data processors’ in the past should review whether they are in fact ‘joint data controllers’ with others.
On 5 June 2018 the Court of Justice of the European Union (CJEU) provided judgment in Case C-210/16 Wirtschaftsakademie Schleswig-Holstein. The judgment found that the operator of a Facebook fan page (Wirtschaftsakademie Schleswig-Holstein, which used the fan page in offering educational services) is liable as a joint controller with Facebook, despite only receiving anonymised statistical data from Facebook in running the page.
Although decided under the current EU Data Protection Directive and German implementing legislation, the judgment has some key implications for controller relationships under the GDPR:
- Access to personal data by a party is not always required for that party to be considered a joint controller – the operator only received anonymised data (which the CJEU appears to have accepted is not personal data) from Facebook. However the operator was still deemed to be playing a part in determining the purposes and means of processing the original personal data of visitors to the page; jointly with Facebook defining the criteria for drawing up the subsequent anonymised data.
- Wide definition of controller – Facebook may have had primary processing responsibility here, in placing cookies on the computer/device of visitors to the fan page. However the judgment held that the operator acted as a joint controller in giving Facebook that opportunity, and setting the parameters for what personal data would be sent to the operator as anonymised statistical data. It didn’t matter that the responsibility of the parties was not equal.
The judgment makes it clear that users of platform services cannot assume that responsibility for data protection compliance will rest solely with the platform.
More widely, the judgment calls into question the ways that parties categorise their roles in relation to personal data processing – joint controller relationships may be far more prevalent than companies have considered to date.