With its decision from 25. Februrary 2016, the German Federal Administrative Court referred several interesting data protection questions related to the operation of a Fanpage on Facebook to the European Court of Justice (ECJ) (the whole decision can be accessed here, in German). The case number at the ECJ is C-210/16. Since there does until now not exist an English version of the reference for a preliminary ruling, you will find beneath a rough translation of some of the questions referred.
The plaintiff is a provider for work-related education and training, which operates a so-called Fanpage at Facebook. The defendant, the Independent Centre for Data Protection of Schleswig-Holstein (ULD), has ordered the plaintiff to deactivate this Fanpage in November 2011. The usage data of visitors would be collected by Facebook via a cookie on the Fanpage. This data would, inter alia, be used by Facebook for advertising purposes and also to provide the applicant with user statistics without the user being sufficiently informed and not having consented to this use. The Administrative Court has upheld the complaint. The Higher Administrative Court rejected the appeal because the plaintiff does not act as a “data controller” in the sense of Sec. 3 para 7 of the Federal Data Protection Act (Art. 2 d) of Directive 95/46/EC) with respect to the data collected by Facebook.
The Senate has submitted to the European Court of Justice the following questions for a preliminary ruling under Article 267 TFEU:
1. Must Art. 2 d) Directive 95/46/EC be interpreted as meaning that it conclusively and exhaustively regulates liability and responsibility for violations of data protection law or, in the context of “suitable measures” under Art. 24 Directive 95/46/EC and the “effective powers of intervention” according to Art. 28 para 3 indent 2 Directive 95/46/EC, remains there any room in multilevel relationships of information providers for the responsibility of a body that is not a “data controller” in the sense of Art. 2 a) Directive 95/46/EC with regard to the selection of an operator for its information services?
2. Does it follow from the obligation of Member States according to Art. 17 para 2 Directive 95/46/EC, where processing is carried out on behalf of the controller, to provide that the controller must “choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures” as argumentum e contrario, that in other situations which are not in the sense of Art. 2 e) Directive 95/46/EC connected with a data processing on behalf, no obligation for a careful selection exists and can’t be created under national law?
3. In cases where a parent company residing outside the European Union has legally independent subsidiaries in different Member States, is, under Art. 4, Art. 28 para 6 Directive 95/46/EC, the data protection authority of a Member State (here: Germany) empowered to exercise its delegated powers in accordance with Art. 28 para 3 Directive 95/46/EC towards the subsidiary on its territory when this subsidiary is only competent for the promotion of the sale of advertising and other marketing activities targeting the inhabitants in that Member State, while, according to intragroup allocation of tasks, the independent subsidiary in another Member State (in this case Ireland) is solely responsible for the collection and processing of personal data throughout the European Union and thus also in the other Member State (here: Germany), when in fact the decision for the data processing is made by the parent company?