REUTERS | Corbis

GDPR and joint controllership: why you may need to follow the trend

The recent landmark of the GDPR’s first birthday has given us reason to reflect on current trends in data protection since the Regulation’s implementation last year (see GDPR one year on: some highlights in words and numbers). One of the key trends over the last few months has been the explosion in the number of data controllers identifying as “joint controllers”, likely due in large part to the outcome of three cases decided by the CJEU in 2018.

The Facebook Fan Page case

First we had the Facebook Fan Page case, Wirtschaftsakademie. The CJEU held that the Facebook fan page owner should be considered a joint controller with Facebook despite not having any access to the personal data, collected by Facebook via cookies, which was used for statistical analysis.  This was because the page owner was able “to influence the specific way in which that tool is put to use…designating the categories of people whose personal data will be collected by Facebook”. The Court also held that joint controllers did not necessarily have equal levels of responsibility depending on the circumstances of the case, which was surprising given Article 26 seems to point to joint and shared liability.

The Finnish Jehovah’s Witness case

The Finnish Jehovah’s Witness case, Tietosuojavaltuutettu (help with pronunciation most welcome) followed shortly after, in which the CJEU decided that the Jehovah’s Witness community as a whole in an area of Finland was a joint controller with a group of door-to-door preachers from that community, because the preaching was “organised, co-ordinated and encouraged” by that community. Again, the Court held that the existence of joint responsibility did not necessarily imply equal responsibility of the various operators.

The “Facebook Like Button” case

Finally, we had the “Facebook Like Button” case, Fashion ID: in this case the Advocate General (“AG”) has opined that a fashion retailer which had embedded a Facebook “like” button on its website, in order to optimise the advertisement of its products, is a joint controller with Facebook, as it could be said to be co-determining the parameters of the data collected by the simple act of embedding the plug-in at issue in its website.  This was because visitors who loaded the site on their device had their data automatically collected by Facebook via cookies, even if they did not have a Facebook account and even if they did not click on the “like” button.

However the AG did at least recognise the difficulties arising from the increasingly broad definition of “controller”, including an increased risk for data subjects if it is not clear which controller is responsible for meeting which obligation in a situation where arguably too many parties involved in the processing meet the definition of “controller”. In what would be a move away from the position in the previous two cases if followed by the Court, the AG suggested that rather than different responsibility levels, it was better to think of controllers having responsibility for different stages of the processing chain; i.e. only those they are directly involved in, and not the preceding or subsequent stages.

What does all this mean?

The upshot of all of this is that it’s seemingly difficult to avoid a relationship of joint control, in circumstances where previously we might have used the term “controllers in common”, independent controllers – or not controllers at all. This is particularly true at the stage in the processing chain where the data is initially collected from data subjects, as was the scenario in all of the above cases. Given the potential for joint liability under Article 82 of the GDPR, this does not seem an altogether attractive prospect.  It will be interesting to see how the “different stages of processing” analysis pans out as we get more cases at the CJEU relating to later stages of the processing chain.

For the ICO guidance on joint controllers, see Legal update, ICO publishes detailed guidance on controllers and processors. For more information generally on controller obligations, see Practice note, Overview of GDPR: UK perspective: Obligations on controllers.

Leave a Reply

Your email address will not be published. Required fields are marked *

Share this post on: