CJEU gives a thumbs up for joint controllership of personal data
A website operator that embeds third party plugins on its website may become a joint controller in relation to the website visitors' personal data together with the third party service provider, according to a preliminary ruling by the Court of Justice of the European Union (CJEU) in case C‑40/17 Fashion ID. The judgment upholds the broad interpretation of joint controllership of personal data established by the CJEU in its recent case law. In this article we discuss the implications of the recent case law to companies engaging in shared data processing activities.
Three cases under scrutiny
Where two or more entities jointly determine the purposes and means of processing of personal data, they are deemed joint controllers under the GDPR. Since June 2018, the CJEU has shed light on the concept of joint controllership of personal data in three landmark cases.
In case C-210/16 Wirtschaftsakademie Schleswig-Holstein, the Court considered an administrator of a Facebook fan page to be a joint controller together with Facebook, from whom it received statistical data of visits to the page. In case C‑25/17 Jehovan todistajat a religious community was deemed a joint controller in relation to personal data that had been collected by the community's individual members while door-to-door preaching.
The most recent case C‑40/17 Fashion ID concerned a German online clothing retailer, which embedded a Facebook "Like" button on its online store. By visiting Fashion ID's website, the IP address of the online shopper and their browser's technical data was transferred to Facebook, even if the visitor did not click the "Like" button or have a user account in Facebook. Fashion ID did not itself have access to all this data, but it gained visibility to its products through Facebook's processing of said data.
Even though the proceedings in all the three cases concerned the pre-GDPR era, the relevant provisions have not changed in essence and the rulings clarify the data processing roles also under the GDPR.
Broad interpretation of joint controllership
The CJEU has interpreted the concept of joint data controllers broadly. In Wirtschaftsakademie Schleswig-Holstein the Court noted that joint controllership may be established even if some of these controllers do not have access to the personal data concerned. In Jehovan todistajat the Court held that exerting influence (in this case organising, coordinating and encouraging door-to-door preaching) over the processing of personal data for the controller's own purposes may be enough to invoke joint controllership.
In Fashion ID the Court held that the website operator exerted decisive influence over the collection and transmission of the website visitors' personal data to Facebook due to it embedding the social plugin in its website. The data collection and transmission would not have occurred without the plugin feature. Furthermore, the processing activities were performed in the economic interest of both parties (i.e. visibility for Fashion ID's products and access to data for Facebook). Similarly to Wirtschaftsakademie Schleswig-Holstein, the fact that Fashion ID did not itself have access to said personal data did not affect the outcome.
Responsibilities of a joint controller
In practice this means that the parties should agree on their respective responsibilities as controllers, as required by the GDPR. Such agreement should at least define the division of liability relating to information obligations and the exercise of the data subject rights.
However, the existence of collective responsibility of the joint controllers does not necessarily imply that both operators are responsible for the processing activities in an equal manner. In all three cases, the Court held that when joint controllers are involved in the processing of personal data at different stages and to different degrees, their individual level of responsibility is assessed case by case with regard to the relevant circumstances at hand. The liability of a joint controller relates only to the processing activities for which it determines, or influences, the means and purposes. Consequently, in accordance with Fashion ID, the preceding or subsequent operations might not fall under the joint controllership.
The three rulings from the CJEU have clarified the interpretation and implications of the relatively ambiguous provisions regarding joint controllership of personal data. Based on the recent case law, it seems that the criteria of joint controllership is fulfilled quite easily.
Companies engaging in shared processing activities should evaluate whether a joint controllership could exist, taking into account the recent case law. When assessing the roles of the parties, it is always recommendable to comprehensively document the assessment and its outcome in order to meet the accountability obligation of the GDPR. If a joint controllership exists, consider at least the following:
- Choose your joint controller carefully to ensure GDPR compliance.
- Enter into a joint controllership agreement pursuant to the GDPR.
- Agree on the division of responsibilities, especially with regard to the information obligation and the rights of the data subjects.
- Clearly define the extent of the joint controllership (i.e. are the parties also individual controllers for some processing activities).
- Agree on the division of liabilities between the parties (note, however, that the data subjects may have the right to direct their claims toward either of the controllers).
- Ensure that the privacy policies (and possible consent forms) take into account the existence of joint controllership and make available information on the essential elements of the joint controllership arrangement.
While the case law around joint controllership is still developing, it is clear that potential joint controllership situations need to be carefully assessed. Although the Fashion ID case concerned website operators using social media plugins, joint controllership can take many forms and its implications cannot be ignored.