Update on the CJEU Judgement in Case C 210/16 : In the route to enforce EU Data Protection Rules

Three months ago, the CJEU (the “Court”) held that operators of Facebook Pages are jointly responsible for the data processing operations of Facebook of the visitors to its Fan Page -the key points of the case was previously discussed here. However, until today, many organisations have not closed their Facebook Fan Pages. The following aims to explore the state of affairs and provides a lawinfographic to help to explain why is important to comply and what steps should be taken.


Useful? Embed this infographic on your website.


Clearly, declaring the Administrator and the social network joint controllers, sharing the responsibility for the processing of the personal data* aimed to make the operators assume its obligations and ensure a more complete protection of the rights of persons visiting their Fan Pages.

*not necessarily mean that the responsibility is distributed equally.


The Court didn’t give any hint to organisations about how to effectively control and assume its obligations without Facebook cooperation. Let me explain, as it is illustrated in the referred case, Facebook determines the terms for the data processing of the fan page visitor’s of Wirtschaftsakademie; hence, the organisation does not really have the power to set their own cookie notice; or decline the Facebook Insights, or execute a co-controller agreement without the cooperation of the social network.


So far, on the 8 of June 2018, the Supervisory Authority for the Land of Schleswig-Holstein announced that the operators of a Fan Page must ensure compliance with the data protection rules; in particular, transparency, lawful basis (consent for tracking mechanisms), and data controllers obligations (co-controller agreement). Emphasising to the Administrators their duty to maintain only privacy-compliant pages.

On the 19 of June 2018, Facebook declared that it will take the steps necessary to enable Fan Page Administrators to satisfy their legal obligations under a joint data controller scenario; however, after that, no further update has come through; thus, no solution has been given.


At the moment, there is only one 100% safe way to proceed for businesses; to close their Facebook Fan Pages, and to consider doing the same with pages hosted in other social networks which are not operating in compliance with the law.

However, the above, from a business point of view, is a hard decision to make. It is undisputable the power of social media to reach people (potential clients), increase exposure (marketing) and generate rewards (revenues). I guess that’s why three months later after the CJEU’s ruling, neither Wirtschaftsakademie or the Supervisory Authority for the Land of Schleswig-Holstein (the “SA”) have closed their Facebook pages.


Due to the ruling, the Administrators of Fan Pages should be pushing Facebook to upgrade their terms and ensure compliance with the data protection laws; otherwise, closing their page and leaving the social network. However, so far this is not happening.

On the contrary, organisations are taking compliance risks but not closing their pages; which results in weakening their bargain position and place them into a “take it or leave it” situation where the social media giant has the upper hand.


  • Promote awareness about the compliance risk to use of Facebook Fan Pages. More organisations and data subjects requesting Facebook to provide products and services in line with the relevant data protection laws, put more pressure on this social network to change its terms, and set an example for other social networks to follow the same path.
  • Check again the cost of non-compliance:
    (i)     The ruling does not apply only to German companies; it would have to be taken into account by all member states when interpreting EU law in similar issues;
    (ii)    Regardless that the responsibility of the data controllers may be different and hence affect the degree of liability, the data subjects can hold your organisation accountable for the entire damage;
    (iii)   As it is, the processing of personal data when using a Facebook Fan Page, among others, breach the principles of processing and data subjects rights, both sanctioned with the higher fine, 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
    (iv)    Corrective Measures can be instructed by the Supervisory Authority such as closing the Fan Page. Therefore, an organisation taking the risk to keep its page open can end up with a fine and forced to close the page anyway.
  • If you still want to take the risk and keep on using the platform, do as much as you can to comply with your obligations –e.g., request Facebook information and execution of a co-controller agreement; provide with information about the data processing by Facebook (publicly available) on the fan page; provide with tools to manage cookies (to opt-out)– And, communicate your efforts to your SA and request collaboration to get Facebook to cooperate to achieve full compliance.

The lawinfographic of this article aims to help businesses in their route to compliance when using third party providers and platforms in line with the relevant data protection laws and CJEU’s judgements.

Each lawinfographic has a visual presentation and keywords that will allow comprehending at a glance the main topic. The articles contain several examples and/or references that have been taken from the EU law, regulations, guidelines and opinions on the matter. If you require more information, do not hesitate to consult the links provided through the article or reach our Chief Data Protection Officer on LinkedIn.




Rate this infographic!

Leave a Reply

Your email address will not be published. Required fields are marked *