Wirtschaftsakademie Schleswig-Holstein (C-210/16) (‘Facebook Fan Pages’)

• Year: 2018
• Date: 05 June 2018
• Issuer: Court of Justice of the European Union

JUDGMENT OF THE COURT (Grand Chamber)

5 June 2018 ( *1 )

(Reference for a preliminary ruling — Directive 95/46/EC — Personal data — Protection of natural persons with respect to the processing of that data — Order to deactivate a Facebook page (fan page) enabling the collection and processing of certain data of visitors to that page — Article 2(d) — Controller responsible for the processing of personal data — Article 4 — Applicable national law — Article 28 — National supervisory authorities — Powers of intervention of those authorities)

In Case C‑210/16,

REQUEST for a preliminary ruling under Article 267 TFEU from the Bundesverwaltungsgericht (Federal Administrative Court, Germany), made by decision of 25 February 2016, received at the Court on 14 April 2016, in the proceedings

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein

v

Wirtschaftsakademie Schleswig-Holstein GmbH,

interveners:

Facebook Ireland Ltd,

Vertreter des Bundesinteresses beim Bundesverwaltungsgericht,

THE COURT (Grand Chamber),

composed of K. Lenaerts, President, A. Tizzano (Rapporteur), Vice-President, M. Ilešič, L. Bay Larsen, T. von Danwitz, A. Rosas, J. Malenovský and E. Levits, Presidents of Chambers, E. Juhász, A. Borg Barthet, F. Biltgen, K. Jürimäe, C. Lycourgos, M. Vilaras and E. Regan, Judges,

Advocate General: Y. Bot,

Registrar: C. Strömholm, Administrator,

having regard to the written procedure and further to the hearing on 27 June 2017,

after considering the observations submitted on behalf of:

– Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, by U. Karpenstein and M. Kottmann, Rechtsanwälte,

– Wirtschaftsakademie Schleswig-Holstein GmbH, by C. Wolff, Rechtsanwalt,

– Facebook Ireland Ltd, by C. Eggers, H.‑G. Kamann and M. Braun, Rechtsanwälte, and I. Perego, avvocato,

– the German Government, by J. Möller, acting as Agent,

– the Belgian Government, by L. Van den Broeck, C. Pochet, P. Cottin and J.‑C. Halleux, acting as Agents,

– the Czech Government, by M. Smolek, J. Vláčil and L. Březinová, acting as Agents,

– Ireland, by M. Browne, L. Williams, E. Creedon, G. Gilmore and A. Joyce, acting as Agents,

– the Italian Government, by G. Palmieri, acting as Agent, and P. Gentili, avvocato dello Stato,

– the Netherlands Government, by C.S. Schillemans and K. Bulterman, acting as Agents,

– the Finnish Government, by J. Heliskoski, acting as Agent,

– the European Commission, by H. Krämer and D. Nardi, acting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 24 October 2017,

gives the following

Judgment

1 This request for a preliminary ruling concerns the interpretation of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).

2 The request has been made in proceedings between the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (Independent Data Protection Centre for the Land of Schleswig-Holstein, Germany) (‘the ULD’) and Wirtschaftsakademie Schleswig-Holstein GmbH, a private-law company operating in the field of education (‘Wirtschaftsakademie’), concerning the lawfulness of ULD’s order to Wirtschaftsakademie to deactivate its fan page on the Facebook social network site (‘Facebook’).

Legal context

EU law

3 Recitals 10, 18, 19 and 26 of Directive 95/46 state: ‘(10) Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of [EU] law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the [European Union]; ... (18) Whereas, in order to ensure that individuals are not deprived of the protection to which they are entitled under this Directive, any processing of personal data in the [European Union] must be carried out in accordance with the law of one of the Member States; whereas, in this connection, processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State; (19) Whereas establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements; whereas the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor in this respect; whereas, when a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure, in order to avoid any circumvention of national rules, that each of the establishments fulfils the obligations imposed by the national law applicable to its activities; … (26) Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable; …’

4 Article 1 of Directive 95/46, ‘Object of the Directive’, provides: ‘1. In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. 2. Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1.’

5 Article 2 of Directive 95/46, ‘Definitions’, reads as follows: ‘For the purposes of this Directive: … (b) “processing of personal data” (“processing”) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction; ... (d) “controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or [EU] laws or regulations, the controller or the specific criteria for his nomination may be designated by national or [EU] law; (e) “processor” shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller; (f) “third party” shall mean any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the data; ...’

6 Article 4 of that directive, ‘National law applicable’, provides in paragraph 1: ‘Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where: (a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable; (b) the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law; (c) the controller is not established on [EU] territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the [European Union].’

7 Article 17 of the directive, ‘Security of processing’, provides in paragraphs 1 and 2: ‘1. Member States shall provide that the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. 2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures...