European Parliament approves text of forthcoming EU Regulation on the Free Flow of Non-Personal Data within the European Union


On 4th October 2018 the European Parliament (by 520 to 81 votes) agreed the text of the proposed EU Regulation on the Free Flow of Non-Personal Data in the European Union. The draft Regulation was proposed by the European Commission in 2017, as part of its Digital Single Market Strategy. The European Parliament, Council of Ministers and the European Commission reached a political consensus on it in June 2018. This adoption by the Parliament brings the regulation one step closer to becoming law. All that remains now is for the Council of Ministers to agree it on 6th November. It will then enter into force by the end of the year, although Member States will have 6 months to apply the new rules. This mean that it will enter into force before the UK exits the European Union in March 2019.

Background to the proposal

The European Commission proposed this regulation as part of its Digital Single Market Strategy.

According to the EU Commission the value of the EU data market in 2016 was estimated to be almost 60 billion Euros, with one study suggesting it could increase to more than 106 billion Euros by 2020.  The new regulation is designed to unlock this potential by improving the mobility of non-personal data across borders. According to the EU Commission, the free flow of non-personal data is hampered by:

  • National rules and administrative practices that restrict where data can be processed and stored. The regulation refers to such rules as data localisation requirements;
  • Uncertainty for organisations and the public sector about the legitimacy of national restrictions on data storage and processing;
  • Private restrictions (legal and contractual and technical) that hinder or prevent users of data storage or other processing services from porting their data from one service provider to another or back to their own IT systems (so called vendor lock-ins).

The aims and outline of the regulation

The regulation only apples to the processing of non-personal electronic data. However, like the GDPR, its territorial scope is wide and includes the processing of electronic data which is:

  • provided as a service to users residing or having an establishment in the EU, regardless of whether the service provider is established in the EU; or
  • is carried out by a natural or legal person (an individual, business, organisation or a public authority) residing or having an establishment in the EU for its own needs.

Processing is also defined in very similar terms to the GDPR – as meaning any operation or set of operations which is performed on data or on sets of data in electronic format, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Unlike the GDPR, it only relates to data in electronic format. Its application is wide and encompasses outsourced data storage, processing of data on platforms, or in applications.

The regulation does not apply to personal data (see below).

National rules on data storage (data localisation requirements)

The regulation aims to ensure the free movement of non-personal data within the European Union by laying down a set of rules relating to national data processing localisation rules.   These are essentially any rules, laws or administrative practices that restrict, prohibit, limit or impose conditions on where data can be processed. The regulation states that such data localisation requirements are prohibited. Member States have 24 months to repeal any such laws.

However, Member States can retain or introduce data localisation rules provided they are justified on the grounds of public security and that the rules are proportionate. In the original proposal Member States would have only had 12 months, but this was extended to 24 months by the European Parliament. Although the main body of the regulation doesn’t define public security, the recitals refer to the fact that the term has been interpreted widely to include both internal and external public security, as well as issues of public safety.

Data Availability for Competent Authorities

The regulation does not affect the powers of ‘competent’ authorities to request or obtain access to data for the performance of their official duties. The definition of competent authority is wide and includes any authority of a Member State, or any other entity authorised by national law to perform a public function or to exercise official authority, that has the power to obtain access to data processed by a natural or legal person for the performance of its official duties, as provided for by Union or national law. It therefore includes central and local government but can also include other organisations that fulfil statutory functions.

This is important, particularly if data is going to be processed in another Member State. The aim is to ensure that the powers of competent authorities to request and receive data, to enable them to fulfil their functions and regulatory powers, remain unaffected by the free movement of data. Consequently, the regulation including a procedure for cooperation between national authorities and the possibility of Member States imposing penalties for failure to comply with an obligation to provide data.

The regulation also establishes a single point of contact for each Member State, to liaise with the contacts in other Member States, and the Commission. The aim is to ensure the effective application of the new rules.

Data Portability

The Regulation also seeks to encourage and facilitate data portability via the use of self-regulatory codes of conduct and certification schemes. The European Commission’s role is to encourage, for example, cloud service providers to develop self-regulatory codes of conduct for easier switching of service provider and porting back data to in house servers. These must be implemented by

Reference is also made to certification schemes that facilitate comparison of data processing products and services for professional users. Such certification schemes may relate to quality management, information security management or environmental management.

Actions to encourage cloud service providers to develop self-regulatory codes of conduct for easier switching of provider and porting data back to in-house servers, which must be implemented within 18 months of the regulation coming into force (mid 2020).

The European Commission is tasked with monitoring development and implementation of these codes of conduct.

The new regulation does not apply to personal data

The regulation concerns non -personal data and does not cover personal data. Data Protection practitioners will no doubt be relieved to know that this means it will have no impact on the GDPR.  According to the European Commission, the two regulations will operate together to enable the free flow of any data-both personal and non-personal “creating a single European space for data”.

In the case of a data set composed of both personal and non-personal data, this new Regulation applies to the non-personal data part of the data set. Where personal and non-personal data in a data set are inextricably linked, this Regulation shall not prejudice the application of Regulation (EU) 2016/679.

The difficulty that this raise will inevitably be a practical one; applying two different regulations to a single data set that contains both person and non-personal data. The regulation rests on the assumption of a clear personal/non-personal data dichotomy, which is practice may be difficult to distinguish.

The impact of Brexit

If the new Regulation enters into force at the end of the year it will apply directly in the UK as per any other Member State. It will remain in force after the date of exit because of the provisions of the EU Withdrawal Act 2018.

After the date of exit, the UK will no longer be a Member State. The regulation effectively allows for any non personal data to be stored and processed anywhere in the EU. It does not extend this ‘right; to storage and processing in third countries. There is of course concern that data localisation rules could be applied against data processors outside the EU, which in turn could have significant adverse business implications for UK data processors.

We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now. New Dates added for London!

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.

Dont forget about our GDPR Helpline, its a great tool to use for some advice when you really need it.

Posted in Brexit, EU Withdrawal, GDPR, Transparency | Leave a comment

New RIPA Codes of Practice for Surveillance and CHIS


In August 2018 the revised Codes of Practice for Covert Surveillance and Property Interference and Covert Human Intelligence Sources (CHIS) were published. These contain substantial changes and additions which public authorities conducting surveillance under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA) need to understand.

The codes provide guidance on when an application should be made for a RIPA authorisation, the procedures that must be followed before surveillance activity takes place and how to handle any information obtained through such activity. They are admissible as evidence in criminal and civil proceedings. Any court or tribunal considering such proceedings, including the Investigatory Powers Tribunal , as well as the Investigatory Powers Commissioner’s Office, responsible for overseeing the relevant powers and functions, may take the provisions of the codes into account.

Many of the changes in the revised codes reflect best practice guidance published in the OSC Procedures and Guidance Document, observations and commentary in OSC annual reports, and advice and guidance provided during inspections. The changes include amendments to the role of the Senior Responsible Officer and a new error reporting procedure. The codes also reflect developments in surveillance and monitoring – such as use of the internet and social media, drones, tracking devices etc. Here is a summary:

  1. Private information– further information and guidance relating to internet material and investigations.
  2. Tracking devices– clarification and further information
  3. Social media and internet research – Substantial new sections providing clarity and detail (read our blog post for more on this topic).
  4. Drones – A section providing guidance on the use of Aerial Surveillance Devices
  5. Intrusive surveillance– A further developed explanation
  6. General Observation Duties– Expanded section to include such activity on the internet
  7. Surveillance not core function– A section relating to covert surveillance for ‘non RIPA purposes’ (More on this topic in our blog post)
  8. CCTV and ANPR– Additional information relating to the deployment of these technologies and the relevant codes and oversight more here: (More on this topic )
  9. Necessity and proportionality– Expanded section.
  • Authorisation– New section explaining the requirement to present the circumstances in a fair and balanced manner
  • Collateral intrusion– Further explanation is provided
  • Handling of material obtained– Section relating to safeguards, retention and destruction of material
  • Third parties– more clarity relating to working with third parties, including those that are not public authorities
  • Reviews– Further detail relating to the review process requirements
  • Senior Responsible Officer– The section relating to the role of the SRO has been altered substantially and includes amendments to the role and responsibilities
  • Covert Surveillance of a CHIS– A new section dealing with this tactic
  • Renewals– A section that provides more information about the detail required
  • Record Keeping– This section has been expanded to provide more detail of requirements
  • Error Reporting– A new requirement introduced in the Investigatory Powers Act 2016. This section describes the types of errors and the reporting requirements, and how there is expected to be processes to identify if errors exist.
  • Privileged Information– A new section with more detail relating to safeguard requirements for such information.
  • Other Legislation– There is now a new section referring to the Criminal Procedure Investigations Act 1996and evidence.
  • Data Protection– A new section relating to the handling and management of material and referring to the Data Controller. (Read our blog poston GDPR and employee surveillance.)
  • Dissemination of Material– A new section relating to this aspect
  • Copying of Material– A new section relating to this aspect
  • Storage of Material– A new section relating to the secure storage of material obtained
  • Destruction of Material– Another new section relating to this aspect
  • Confidential or Privileged Material– This section has been expanded to provide more detailed information about requirements
  • Oversight– Section amended to reflect the role oversight role of the Investigatory Powers Commissioner’s Office, and their access to systems and material in order to fulfil the oversight role. (More on this subject here.) If you have a RIPA inspection coming up, read our guide
  • Complaints– This section is completely altered and provides additional information

On 30thApril 2018 the Investigatory Powers Tribunal awarded £46,694 to an individual who had complained about surveillance by British Transport Police (BTP). The determination was that that surveillance was unlawful as it had been conducted without a RIPA authorisation. BTP was criticised for amongst other things, lack of training and awareness of those involved in surveillance.

Our RIPA courses have been completely revised by our RIPA expert, Steve Morris, to include an explanation of the new codes of practice and recent developments.  If you would like an in house refresher training for your staff, please get in touch.

Posted in Privacy, RIPA, Surveillance | Leave a comment

Revised S.45 Code of Practice under FOI

Filing records

GDPR has taken the limelight from other information governance legislation especially Freedom of Information.  In July 2018, the Cabinet Office published a new code of practice under section 45 of the Freedom of Information Act 2000(FOI) replacing the previous version.

In July 2015 the Independent Commission on Freedom of Information was established by the Cabinet Office to examine the Act’s operation. The Commission concluded that the Act was working well. It did though make twenty-one recommendations to enhance the Act and further the aims of transparency and openness. The government agreed to update the S.45 Code of Practice following a consultation exercise in November 2017.

The revised code provides new, updated or expanded guidance on a variety of issues, including:

  • Transparency about public authorities’ FOI performance and senior pay and benefits, to mandate the FOI Commission recommendations for greater openness in both areas.
  • The handling of vexatious and repeated requests. The FOI Commission specifically recommended the inclusion of guidance on vexatious requests.
  • Fundamental principles of FOI not previously included in the code, e.g. general principles about how to define “information” and that which is “held” for the purposes of the Act.

In the latter section the code makes a number of interesting points:

  • Information disclosed as part of “routine business” is not an FOI request. Section 8of the Act sets out the definition of a valid FOI request. Judge for yourself if this advice is accurate.
  • Information that has been deleted but remains on back-ups is not held. This goes against a Tribunal Decision as well as ICO guidance.
  • Requests for information made in a foreign language are not valid FOI requests. Again refer to section 8 above. It does not say a request has to be in English!

The code is not law but the Information Commissioner can issue Practice Recommendations where she considers that public authorities have not complied with it. The Commissioner can also refer to non -compliance with the code in Decision and Enforcement Notices.

As well as giving more guidance on advice and assistance, costs, vexatious requests and consultation, the code places new “burdens”:

  • Public authorities should produce a guide to their Publication Scheme including a schedule of fees.
  • Those authorities with over 100 Full Time Equivalent (FTE) employees should publish details of their performance on handling FOI requests on a quarterly basis.
  • Pay, expenses and benefits of the senior staff at director level and equivalents should be published quarterly. Of course local authorities are already required to publish some of this information by the Local Government Transparency Code.
  • The public interest test extension to the time limit for responding to an FOI request (see S.10(3)) should normally be no more than 20 working days.
  • Internal reviews should normally be completed within 20 working days.

Furthermore, the other S.45 Code covering datasets has been merged with the main section 45 Code so that statutory guidance under section 45 can be found in one place. There is also an annex explaining the link between the FOI dataset provisions and the Re-use of Public Sector Information Regulations 2015.

Public authorities need to consider the new code carefully and change their FOI compliance procedures accordingly.

We will be discussing this and other recent FOI developments in our forthcoming FOI Update webinar.

Posted in Freedom of Information, Section 45, Transparency | Leave a comment

Free Information Governance Briefings for the Health Sector


Act Now Training is pleased to announce a series of free Information Governance briefings for the health sector.

The IG landscape has changed dramatically in a relatively short space of time. Healthcare professionals are facing new challenges in the form of the General Data Protection Regulation (GDPR), the Data Protection Act 2018 and the Data Security and Protection Toolkit.

In each free briefing, we will explain what these changes mean in practical terms and dispel some of the myths associated with the new legislation. Time has been allocated for questions, discussion and networking. Participants will leave with an action plan for compliance.

These briefings are ideal for Information Governance Leads in General Practices, pharmacies, Clinical Commissioning Groups, dentists, care homes and other healthcare providers.

The speakers are Ibrahim Hasan, a solicitor and director at Act Now Training, and Craig Walker, Data Protection Officer at St Helens and Knowsley Hospitals NHS Trust. Both are well-known experts in this field with many years of experience in training and advising the health sector. Other members of the Act Now team will also be on hand to answer participants’ questions over a complimentary lunch.


9.45am – Registration

10am – Start

  • The General Data Protection Regulation (GDPR) and the health sector
  • Data Protection Act 2018 – What does it mean for me?
  • Data Security & Protection Toolkit – Overview and summary of key changes
  • National Data Guardian (10 Data Security Standards) – What are they and why are they so important?
  • Data Protection Impact Assessments – When and Why?
  • Subject Access Requests – Looking at separating the facts from fiction – to charge or not to charge
  • Data Breach Prevention – What can we do to minimise the likelihood of breaches occurring
  • Cyber Security Basics – What to be on the lookout for
  • The role of the Data Protection Officer – Do I need one and what is their role?

12.00pm – Open Forum and Lunch

There are limited places available on each briefing so please book early to avoid disappointment.

These briefings are part of a series of courses specially designed for the health sector. This includes our GDPR workshops and the Certificate in Information Governance.


Posted in DP ACT 2018, GDPR, IG Health, Uncategorized | Leave a comment

ICO Refuses to Disclose GDPR Policy Document for Special Categories Data

Screen Shot 2018-08-28 at 21.59.50

In the months leading up to 25th May 2018, data controllers will have been working like Trojans to become GDPR compliant. Data Protection Officers may have been pulling their hair out at the length of their ‘to do lists’.  Not least, working out what their lawful basis or processing is, drafting Privacy Notices in clear and plain English, reviewing their subject access and breach notification procedures and training staff.

Add to all of that the additional requirements imposed by the Data Protection Act 2018 to have an ‘appropriate policy’ in place in relation to the processing of certain special category personal data and personal data relating to criminal convictions.  Specifically s. 10 DPA requires that processing special category data meets the conditions in Part 1-3 of Schedule 1. This in turn also requires that in certain circumstances the data controller must have an ‘appropriate policy document in place’. [1]  Schedule 1, Part 4 provides some limited guidance on what must be in the policy document. The document must explain the controller’s procedures for securing compliance with the principles in Article 5 of the GDPR in connection with the processing of the personal data.  It must also explain the controller’s policies in relation to the retention and erasure of personal data processed in reliance of the condition.

This new requirement may not have been the foremost concern for every data controller and it is possible or even likely that policies may still be in draft as DPOs work out what to include in their documents.  The ICO has not, as yet, issued any guidance on these policy documents and so this no doubt will present challenges for many DPOs. . Perhaps the requirement is also presenting challenges for the ICO, because at the time of writing, the ICO is unwilling to publish its own Policy Document.

The request and the refusal

On 19th July the ICO received a request for a copy of its ‘Policy designed to show compliance with Schedule 1, Part 4 of the DPA 2018.’  Although the applicant did not explain why they wanted it (and as FOIA practitioners know, the regime is purpose blind), there can be little doubt that many data controllers would find the ICO’s own Policy Document a very useful guide to the scope and content of such a policy.  Additionally it is important that the public, and indeed ICO employees, are made aware of how the ICO itself will process special category and criminal conviction data.

On August 17th 2018 the ICO refused the request, citing the s 22 FOIA exemption (information held with a view to future publication).  S 22 provides that information is exempt information if:

  • the information is held by the public authority with a view to its publication, by the authority or any other person, at some future date (whether determined or not),
  • the information was already held with a view to such publication at the time the request for information was made, and
  • it is reasonable in all the circumstances that the information should be withheld from disclosure until the date referred to in paragraph (a).

S 22 is a qualified exemption and requires a determination of the public interest.

Sadly, the ICO’s Refusal Notice falls short of the ‘best practice’ that one should reasonably expect from the FOIA regulator.

  • The refusal notice offers no explanation of why the ICO believes it is reasonable in all the circumstances to withhold disclosure until some future date. The ICO has failed to follow its own guidance on the s 22 exemption in not even addressing this point. In fact it is arguable that by not considering this, the exemption is not engaged.
  • It fails to provide any indication of a future intended date for publication.  Although there is no requirement under the FOIA to do this, given the level of interest surrounding the new Data Protection Act it is difficult to see why the ICO did not seek to offer some indication of the intended future publication date.  It also neglects the ICO’s own advice on the s 22 exemption, that  is good practice to provide the requestor with an anticipated date of publication.
  • It fails to adequately explain the public interest factors that have been taken into account.

Weak and generic public interest assessment

The public interest test requires an assessment of whether:

In all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.

This requires a particular attention to the ‘circumstances of the case’. In one of its earliest judgments the Information Tribunal emphasised that a public authority must ask ‘is the balance of public interest in favour of maintain the exemption in relation to this information and in the circumstances of this case?’. [2] The ICO refusal notice is however generic and lacks any explicit reference to the information requested or the particular circumstances surrounding this document.

In favour of disclosure the ICO simply states that there is a public interest in transparency being demonstrated by disclosure and a legitimate interest in the compliance of the ICO with the legislation it regulates. It could have added more weight to this side of the equation. For instance, it could have supplemented these rather generic assertions by making explicit reference to the first Principle in Article 5 (1) GDPR, that data should be processed in a transparent manner. It might also have used different language recognising a ‘strong’ (rather than legitimate) public interest in ensuring that the ICO complies with the legislation it regulates, particularly given the gravity of non-compliance.

In favour of withholding the information the ICO cites three points, again without elaboration or reference to the specifics of the case.

First it states that ‘transparency is achieved through the pro-active publication of information on the web site’. Simply stating this falls well short of explaining how it is not in the public interest to disclose earlier than planned. Given that the information is going to be published at some future date, the public interest test should really consider why it is not in the public interest to publish earlier than planned. This is not addressed by the ICO.

Second, the ICO cites ‘the impact on ICO resources if we were to respond individually to requests for information that is due to be published’. This again appears to be something of a blanket refusal and fails to take into account the specific information that is being requested.

Finally, the ICO cites there is no pressing public interest in disclosing the information early. The refusal notice does not offer any reason in support of why it would not be in the public interest to disclose the document now. There is no explanation about why the ICO has reached this conclusion. However, perhaps more compelling is the fact that the Act has been in force for almost three months now. The ICO should have had a Policy Document in place since May 23rd 2018. In which case it is difficult to see how disclosing it now would be ‘early’. That is unless the document is still in a draft form and the ICO is not in a position to say when it might be published. Perhaps the ICO, like other data controllers is finding it a challenge to draft its Policy Document.

At the time of writing the requestor has submitted a request for an internal review.

I leave you with the ICO’s strapline; ICO, the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.


Susan Wolf has over ten years experience teaching information rights practitioners on the LLM Information Rights Law & Practice at Northumbria University. She will be delivering a range of online webinars on various subjects around GDPR. 

We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now. New Dates added for London!

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.


[1]  In addition, under Part 3 of the DPA 2018 which implements the Law Enforcement Directive, sections 35 and 42 and Schedule 8 also require that data controllers have an appropriate policy document in place.

[2] Hogan and Oxford City Council v The Information Commissioner EA/2005/0026 & EA/2005/0030

Posted in DP ACT 2018, GDPR, ICO, Information Security | 2 Comments

Facebook Fan page administrators need to be GDPR compliant



By Susan Wolf

In our previous blog we considered the recent, and much awaited, decision of the Court of Justice of the European Union  (CJEU) on the status of Facebook fan page users [1]. After protracted litigation in the German Courts, the CJEU ruled on June 5th 2018, that the concept of data controller was wide enough to include a user of a fan page hosted on a social network (in this case Facebook).

WirtschaftsakademieSchleswig-Holstein GmbH (a private training academy) operated a Facebook fan page, which it used to promote its activities. Facebook provided Wirtschaftsakademie with anonymsied statistical data about people who visited the fan pages. The German Data Protection authority for Schleswig-Holstein ordered Wirtschaftsakademie to deactivate the page or risk a fine. This is because visitors to the fan page were not warned that their personal data was being being collected by Facebook, by means of cookies that were placed on the visitor’s hard disk. The purpose of that data collection was to compile viewing statistics for the Wirtschaftsakademieand to enable Facebook to publish targeted advertisements.

Technically the Court’s jurisdiction is limited to providing authoritative rulings on the interpretation of EU law and not determining the outcome of a case. However, in this case the Court made it very clear that, Wirtschaftsakademie was a data controller responsible for processing personal data, jointly with Facebook Ireland. However, the ruling has much wider implications and could affect all organisations that use Facebook fan pages, or other similar online social media.

Joint Data Controllers Must have an Agreement that sets out respective responsibilities under the GDPR


The fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services does not mean it escapes any of the obligations concerning the protection of personal data. In short, as a joint data controller, the fan page user must comply with the GDPR.  Similarly the fact that the fan page user acts as a joint controller, in that it decides to use Facebook as its platform, does not relieve Facebook of its obligations as controller either.  They are joint data controllers; a concept specifically acknowledged by Article 26 of the GDPR, which states.

“Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall, in a transparent manner determine their respective responsibilities for compliance with the obligations under [the GDPR] in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless….The arrangement may designate a contact point for data subjects.”

Joint controllers must enter into a specific agreement, or contract, that sets out their respective responsibilities under the GDPR.

Joint Controller does not necessarily mean ‘equal controller’


The fact that two entities are joint controllers does not mean that they are ‘equals’. The CJEU acknowledges that the existence of joint responsibility, with an online social network, such as Facebook does not necessarily imply equal responsibility.

Depending on the circumstances, different operators may be involved at different stages of that processing, and also to different degrees.  So for example, it is not necessary for a data controller to have complete control over all aspects of data processing. Indeed data processing today is becoming much more complex and may involve several distinct processes that involve numerous parties, each exercising different degrees of control. With such complexity it is even more important that roles and responsibilities are clearly defined and easily allocated.  However Article 26 GDPR also requires that the ‘allocation’ of responsibilities must be transparent. The Article 29 Working Party 2010 Opinion on Data Controllers [2] (Now the European Data Protection Board) emphasises that the complexities of joint control arrangements must not result in an unworkable distribution of responsibilities that will make it more difficult for data subjects to enforce their rights.

On 15th June Facebook issued a statement for users of Facebook fan pages. This also acknowledges that ‘it does not make sense to impose an equal footing on page operators for the data processing carried out by Facebook’.  Accordingly Facebook has indicated that it will update its own terms and conditions to clarify the respective data protection responsibilities of Facebook and Fan Page site users. (The statement does not expressly refer to the GDPR). However, at the time of writing this blog nothing further has been issued.

A note of caution: Liabilities

The terms of any joint controller agreement will be very important because of the provisions of Article 82 (4). This states that where more than one data controllers are involved in the ‘same processing’ and where they are responsible for any damage caused by processing, each controller shall be held liable for the entire damage. This is to ensure the effective compensation of data subjects who suffer any ‘material or non material’ damage as a result of any breach of the GDPR. However, GDPR Recital 146 states that where both controllers are joined in the same legal proceedings, compensation may be apportioned according to the responsibility of each controller. (Subject to the caveat that the data subject who has suffered any damage is compensated in full).  Therefore an agreement that specifically allocates responsibilities, and liabilities, should be regarded as essential.

What steps should Fan Page users be taking now?

Until Facebook clarifies its position on joint controller agreement, it might be prudent for anyone thinking of opening a Facebook fan page, to defer from doing so.

However, existing fan page users do need to take steps to become GDPR compliant.

The Information Commissioner’s Office has not, as yet, issued any guidance to fan page users. However, the German Data Protection Authorities have issued a statement advising Facebook fan page users/operators that they must comply with the applicable provisions of the GDPR and specifically the following obligations:

  • The operator must provide information on processing activities by Facebook and by the operator itself transparently and in an understandable form.
  • The operator must ensure that Facebook provides the relevant information to enable the operator to fulfil its information obligations.
  • The operator must obtain opt-in consent for tracking visitors to a fan page (e.g., by using cookies or similar technologies).
  • The operator must enter into a co-controller agreement with Facebook.

Perhaps a more pragmatic solution is for fan page users to consider what steps an organisation would need to take, as data controller, if they had created their own website (other than via Facebook) and embedded cookies and implemented a tool similar to the Facebook Insights tool, in order to compile viewing statistics.

[1] Case C210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v

Wirtschaftsakademie Schleswig-Holstein GmbH

[2] Article 29 Data Protection Working Party, Opinion 1/2010 on the concepts of “controller” and “processor”


Act Now provides a full GDPR Course programme including one day workshops, elearning, Healthchecks and our GDPR Practitioner Certificate. 

Book now to avoid disappointment! 


Posted in Data Protection, GDPR, Social media | Leave a comment

Decision: Facebook Fan Page Administrators are Data Controllers


By Susan Wolf

On 5th June 2018 the Court of Justice of the European Union (CJEU) delivered its long awaited Facebook fan page decision. The case concerned the definition of data controller under the now repealed Data Protection Directive 95/46/EC [1] and in particular whether the administrator user of a Facebook fan page was a data controller.

The fact that the Data Protection Directive has been replaced by the GDPR 2016 should not diminish the importance of this ruling, particularly for organisations that use Facebook or other social media platforms to promote their business or organisation.

We explain some of the issues raised in the case and consider the implications of the ruling for administrators of Facebook fan pages under the GDPR.

The case

The case involved Wirtschaftsakademie Schleswig-Holstein GmbH, a private training academy in Germany. The company provided business training for commerce and industry (including GDPR training).  It operated a Facebook fan page to make people aware of its range of services and activities.

Fan pages are user accounts that can be set up on Facebook by individuals or businesses. According to Facebook, a fan page is a place where businesses can create a space on Facebook, to connect with people to tell them about their business.  Fan pages are not the same as Facebook profiles, which are limited purely for individuals’ personal use. Unlike a personal Facebook profile, a Fan page is accessible to anyone using the Internet.

Authors of fan pages must register with Facebook in order to use the online platform to post any kind of communication. At that time, fan page administrators could obtain, from Facebook, anonymous statistical information on visitors to the fan page, via a function called ‘Facebook Insights’. That information was collected by means of ‘cookies’, each containing a unique user code, which remained active for two years and were stored by Facebook on the hard disk of the computer or on other media of visitors to fan pages. The user code, which could be matched with the connection data of users registered on Facebook, was collected and processed when the fan pages were opened.

The service, which was provided free of charge under non-negotiable terms, was no doubt very useful to the German Training Academy.  Unfortunately, neither Wirtschaftsakademie, nor Facebook Ireland notified anybody ‘visiting’ the fan page about the use of the cookies or the subsequent processing of the personal data.  The German Data Protection Supervisory Authority for the Schleswig-Holstein Land (Region) took the view that by setting up its fan page, the Wirtschaftsakademie had made an active and deliberate contribution to the collection by Facebook of personal data relating to visitors to the fan page, from which it profited by means of the statistics provided to it by Facebook.  The regulator concluded (in November 2011) that the Wirtschaftsakademie was a data controller and consequently ordered it to deactivate its fan page and threatened a penalty payment if the page was not removed.

The Wirtschaftsakademie challenged that before the German Administrative Court. Their main argument was that it was not responsible under data protection law for the processing of the data by Facebook or the cookies that Facebook installed, and neither had it commissioned Facebook to process personal data on its behalf. This argument was successful before the administrative court. However the regulator appealed and what followed was lengthy protracted litigation in the German courts. By 2016 the case had reached the Federal Administrative Court. The Federal Court also agreed that the Wirtschaftsakademie was not responsible for the data processing as defined by Article 2 (d) of the Data Protection Directive:

  • (d) ‘controller’ shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. The GDPR, Article 4 defines data controller in identical terms.

However, the Federal Court also decided that it was necessary to refer the question to the CJEU under the preliminary rulings, particularly since the CJEU had previously ruled [2] that the concept of data controller should be given a broad interpretation in the interests of the effective protection of the right of privacy.

The CJEU Ruling

The CJEU has no difficulty in concluding that Facebook Inc. and Facebook Ireland were data controllers because they

determined the purposes and means of processing the personal data of Facebook users and anyone visiting fan pages hosted on Facebook. However, the Court recalls that the definition includes entities that  ‘alone or jointly with others’ determine the purposes and means of data processing. In other words, the purposes may be determined by more than one controller and may be determined by ‘several actors taking part in the processing’ with each being subject to the provisions of the Directive.

On the facts, the Court considered that the administrator of a Facebook fan page:

  • Enters into a contract with Facebook Ireland and subscribes to the conditions of use, including the use of cookies.
  • Is able to define the parameters of the fan page, which has an influence on the processing of personal data for the purposes of producing statistics based on visits to the fan page.
  • Could, with the help of filters made available by Facebook, define the criteria for statistical analysis of data.
  • Could designate the categories of persons whose personal data is to be made use of by Facebook.
  • Can ask Facebook for demographic data relating to its target audience, including age, sex, relationship and occupation, lifestyle and purchasing habits.

These factors pointed to the fact that the administrator of a fan page hosted on Facebook takes part in the determination of the purposes and means of processing the personal data of visitors to the fan page. Consequently the administrator of the fan page is to be regarded as a data controller, jointly with Facebook Ireland.

The Court rejected arguments that the Wirtschaftsakademie only received the statistical data in anonymised form because the fact remained that the statistics were based on the collection, by cookies, of the personal data of visitors to the fan page.

The fact that the fan page administrator uses the platform provided by Facebook does not exempt it from compliance with the Directive. The Court also added that non Facebook users may visit a fan page and therefore the administrator’s responsibilities for the processing of the personal data appears to be even greater as the mere consultation of the home page automatically starts the processing of personal data.

[1]  Case C210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v

Wirtschaftsakademie Schleswig-Holstein GmbH

[2]Case C 212/13  František Ryneš v Úřad pro ochranu osobních údajů


We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now. New Dates added for London!

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.

Dont forget about our GDPR Helpline, its a great tool to use for some advice when you really need it.

Posted in Data Protection, GDPR, Personal Data, Social media | 2 Comments