Willy-nilly ‘joint controller’. The threshold for qualifying as joint controller – and, as such, sharing actual responsibility for the processing of personal data – is low indeed. Two decisions by the European Court of Justice and a Conclusion by the Court’s Advocate General clearly demonstrate this. In some cases, all it takes is website integration of a social media plugin collecting personal data for the site administrator and the plugin supplier.
What this means is that it is very important for organisations and individuals to be perfectly clear on their particular standing in the GDPR division of roles. They have to know, at any point in time and in any given situation, exactly what they are: a consumer of services, a processor or a (joint) controller. The legal implications are very different in each of these scenarios.
The issue of joint processing responsibility should be discussed in any DPO Training. There already are two recent ECJ decisions on the subject, with a third one in the pipeline. The first one of these addresses the shared responsibility of a Facebook fan page administrator, the second one is on collection of personal data by Jehovah witnesses. The third will address use of the Facebook Like button by website administrators.
The first two rulings demonstrate that the Court has decided on a broad interpretation of the concept of ‘joint controllers’.
For any of the parties involved to qualify as a joint controller, the non-processing entity only has to have:
- derived value (directly or indirectly) from the processing activity,
- or affected the personal data processing for its own purposes.
Both these rulings are interpretations of Guideline 95/46/EC. With the entry into force of the GDPR, the upcoming Facebook Like button case has only gained additional significance, as this will be the first time the Court is to rule on the concept of joint controllers pursuant to Article 26(1) of the GDPR.
Facebook Like button
The case itself concerns integration of the Facebook Like button in a website by the administrator of that site, allowing for automated transfer of personal data to the Facebook offices in Ireland at every visit to the site, regardless of the visitor actually clicking the Like button or having a Facebook account.
In his Conclusion, the Advocate General states that the mere act of integrating the Facebook Like button in his website qualifies the administrator as a (joint) maker of decisions on the means used for processing personal data, going on to point out that the respective interests of the site administrator (commercial) and Facebook Ireland (advertising) justify qualification of the scenario as one of joint (common) interest. In order for this to hold true, in other words, these interests do not necessarily have to be identical. In fact, they can be complementary.
The Advocate General, then, clearly is of the opinion that the low-threshold interpretation of the previous two rulings applies to this GDPR case as well, the first to be ruled on by the Court. And it is very uncommon for opinions stated by the Advocate General not to be reflected in rulings by the Court.
What do we learn from this?
Presupposing that the Court will follow the AG opinion, organisations will have to pay even more attention to qualifying their GDPR roles in the context of various personal data processing operations. For what the GDPR appears to imply is that there is a virtually endless list of potentially ‘suspicious’ plugins that may lead to a situation of joint controllers. If this turns out to be the case, ‘joint controller’ agreements will shortly feature on the short-list of high-priority GDPR documents.
At the same time, this begs the question as to how exactly the upcoming ruling will affect the processor role at the other end of the spectrum. Which we may have to explore in one of our future blogs.