CJEU Advocate General opines on the definition of a data controller, applicable national law, and jurisdiction under data protection law

Henry Pearce
Lecturer in Law, University of Hertfordshire, and Doctoral Researcher at the Institute for Law and the Web at the University of Southampton.

This article was originally posted on the Peep Beep!, a blog dedicated to privacy and information law.


‘Cruise control for the social media age, or stuck in second gear?’ The issue of defining data controllership is “particularly thorny” says AG, and looking to become thornier as complete control is becoming less and less common in practice

Last month, Advocate General (AG) Bot of the Court of Justice of the EU (CJEU) delivered an opinion which, although non-binding in nature, could potentially have far-reaching consequences for the development of data protection law in the EU. The non-binding opinion concerns a number of questions brought before the CJEU in relation to case C-210/16, which concerns a dispute between a regional German data protection authority (DPA) and a private education company, Wirtschaftsakademie Schleswig-Holstein GmbH (an education company). The main issue for the AG to consider was whether the German DPA was entitled to utilise its powers of intervention under the Data Protection Directive (DPD) against the education company, despite the fact that the latter was considered by the German courts not be a ‘data controller’ for the purposes of the definition of this concept under Article 2(d) DPD (“the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data”).

The request for a preliminary ruling concerned the legality of an order made by the DPA against the education company, which required the latter to deactivate a fan page hosted by Facebook Ireland, the entity that Facebook Inc has designated the controller of personal data processing by it in the EU. (A Facebook fan page is a special Facebook user account that individuals and businesses to set up in order to promote themselves, usually for the purposes for commercial purposes).

The DPA had alleged that, by failing to inform end users visiting the fan page that their data would be automatically collected by Facebook via cookies installed on their computing equipment, the fan page infringed a variety of provisions of German data protection law implementing the DPD. These data were collected via Facebook for the purposes of compiling anonymous statistical information, which would benefit the education company, and for the purposes of refining Facebook’s targeted behavioural advertising endeavours. By contrast, the education company argued that it was not responsible for the activities carried out by Facebook, including the automatic installation of cookies on end users’ computing equipment, and therefore it was not a data controller in respect of such personal data processing, and so it should not be subject to the exercise of the powers of the German DPA.

After being contested in the German Administrative Court and the Higher Administrative Court, the German Federal Administrative Court agreed that the education company was not a controller because, it concluded, the organisation had no power to influence the collection of personal data or the purpose of any subsequent processing in this context. However, in its request for a preliminary ruling to the CJEU, the Court asked for clarification on six questions, which can be summarised as follows:

  1. Are data controllers the only parties capable of incurring liability and responsibility for data protection violations? Alternatively, do DPAs have jurisdiction to exercise their powers of intervention under Art.28 DPD in relation to undertakings that are not data controllers per the DPD’s definition?
  2. Under Art.17(2) DPD, is it possible to infer a possible duty for making the same careful choice in respect of other multi-tiered information provider relationships, other than those between controllers and processors? (This provision specifies that in sub-contractual relationships, where a data controllers delegates data processing activities to a dedicated data processor, the controller is under a duty to choose a processor which provides sufficient guarantees in respect of technical security and organisational measures in respect of the processing to be carried out).
  3. Where an undertaking is primarily based outside the EU (e.g. Facebook), but has subsidiaries established within the territories of the EU (e.g. Facebook Germany and Facebook Ireland), is the DPA of one EU Member State entitled to use its powers of intervention against a subsidiary based in its territory but not responsible for making determinations in respect of the purposes of the collection and processing of personal data throughout the EU, whilst another subsidiary of the same undertaking based in another Member State has this responsibility?
  4. Where a controller has an establishment in one Member State responsible for determining the purposes of acts of personal data collections and processing (e.g. Facebook Ireland), and another legally independent establishment in another Member State whose responsibilities are restricted to marketing activities targeted at the inhabitants of that Member State (e.g. Facebook Germany), is the DPA of the latter Member State entitled to exercise its powers of intervention against the establishment in its territory, or are such powers exercisable only by the DPA of the Member State where the determinations regarding the collection and processing of personal data are undertaken?
  5. In cases where the DPA based in one Member State exercises its powers of intervention against a person/entity in its territory (on the grounds of failing to exercise due care in choosing a third party located in another Member State to be involved in personal data processing activities due to that third party being an infringer of the DPD), is the DPA bound by the appraisal of a DPA from the Member State where the third party is based, or can the DPA of the first Member State come to its own independent conclusion?
  6. Where the DPA of a Member State is in a position to conduct an independent investigation, does Art.28 DPD permit it to exercise its powers of intervention against a person/entity established in its territory on the grounds of an alleged data protection violation for which they are jointly responsible with a third party established in another Member State, or must it first request that a DPA of the Member State where the third party is based exercise its own powers before it is permitted to act?

In response to the first two questions, the AG argued that both were premised on the mistaken belief that a Facebook fan page could not be a controller for the purposes of the DPD. This, he suggested, was fundamentally wrong. Whilst acknowledging that, first and foremost, the administrator of a Facebook fan page is an individual end user of Facebook, the AG said that this in itself is not enough to preclude it being responsible for the collection of user data by Facebook itself. Drawing on the definition of controller contained in Art.2(d), the AG argued that so long as the administrator of a fan page has influence over, or can “determine”, the purpose and means of any data collection and processing linked to end users visiting the page, they will be a controller for the purposes of the DPD.

So why exactly, on the facts of this case, did the AG conclude that the administrator of this particular fan page was definitely a controller? In short, this conclusion was primarily based on two main factors.

  • Firstly, the collection and subsequent processing of user personal data by Facebook would not have been possible if the administrator had not created the fan page. Accordingly, the creation of the fan page by the administrator represented an agreement to Facebook’s means and purposes of processing personal data, and therefore signified that the administrator had participated in the “determination” of those ways and means.
  • Secondly, due to technological insight tools offered by Facebook, fan page administrators are able to influence the specific way in which Facebook itself uses its data collection tools in relation to visitors to their fan page. This can allow the administrator to effectively define a personalised audience, and designate categories of users whose personal data will be collected. This, according to the AG, must also be considered as participating in the “determination” of the means and purposes of an act of data processing.

In circumstances similar to the immediate case, therefore, Facebook fan page administrators, as well as administrators of fan pages on similar platforms, must be considered joint data controllers along with Facebook. In reaching this conclusion the AG drew an analogy to help support his conclusion: if an undertaking were to make its own website and utilised similar tools to those made available through Facebook for the purposes of managing fan pages, it would undoubtedly be considered a controller. Accordingly, he argued, as there was no “fundamental difference” between the two scenarios, it would be wrong for the law to treat them differently!

In response to the third and fourth questions, the AG drew attention to the fact that, as mentioned, Facebook Ireland was Facebook’s designated data controller in the EU, whereas Facebook Germany was only responsible marketing endeavours aimed at German users. He then suggested that in order to answer the question of whether a DPA based in one Member State is entitled to exercise its powers of intervention in relation to processing activities for which a party in another Member State is responsible, it is necessary to first determine whether the DPA in the first Member State has the right to apply its own national law to the data processing in question.

Turning to the facts of this case, the AG opined that the German DPA was indeed entitled to exercise its powers of intervention against Facebook Ireland, despite the latter being based in another Member State. Specifically, he alluded to Art.4(1)(a) DPD specifying that acts of personal data processing will be governed by the law of the Member State in which said processing is carried out in “the context of the activities of an establishment” of a controller on the territory of that Member State. In other words, the applicability of the national law of any Member State to an act of personal data processing requires the controller 1) to have an “establishment” in that Member State, and 2) the processing must be carried out “in the context of the activities of that establishment”. With both these points in mind, the AG argued that as Facebook Germany has a registered office in Hamburg through which it carries out its business, it undoubtedly should be considered an establishment for the purposes of Art.4(1)(a).

In reaching this conclusion, the AG also drew on previous decisions of the CJEU in the Google Spain and Weltimmo cases (to reminder readers, posts about the latter decisions on this blog can be found here and here). The AG laid emphasis on the fact that – as Facebook Germany was responsible for marketing to German Facebook users – the personal data processed by it in relation to this must be considered as being “in the context” of Facebook Germany’s engagement with its users.

So, what does this mean for DPAs who find themselves in this context? The AG concluded that that the German supervisory authority indeed had the power to apply its own national law to the proceedings and could exercise all its powers of intervention to ensure that German law was applied by Facebook on German territory. In other words, neither the place where the processing is carried out nor where the controller is established are decisive in determining which national law applies to data processing activities.

Moreover, he argues that the suggestion that Art.4(1)(a) should be interpreted as requiring data controllers to have regard for the legislation of one Member State only was contrary to the wording of the DPD (specifically Recital 19, which mentions the possibility of the application of multiple national legislations to data processing activities), but also:

  • an inability for DPAs to target data controllers in other Member States would neuter their competency under Art.28 to uphold data protection law (as it is only through targeting the controller in a particular data processing operation through which any alleged infringements could be effectively combatted), and
  • allowing DPAs to impose measures on controllers that are not established in their own Member State would not represent the DPA overstepping its power, as the purpose of all DPAs is to ensure compliance with data protection law in all Member States.

Regarding the fifth and sixth questions, the AG concluded that a DPA must be able to use its powers of intervention in an autonomous way unfettered by any obligations to first correspond with, or defer to, another DPA.

The AG’s opinion is noteworthy for a number of reasons. Most strikingly, it perhaps represents a notable broadening of the notion of a data controller, a concept that already enjoys wide definition. If the AG’s approach were to be followed in the final CJEU judgement due imminently and adopted by the CJEU in future case law, this would seemingly open the door further to the possibility of individual users of social networking sites like Facebook to be categorised as controllers (a door the possibility of which has become to be wedged open under EU law in recent years), and therefore be made subject to the substantive tenets and provisions of the European data protection framework.

More generally, the AG’s expansive approach to the powers and abilities of DPAs regarding cross-border effects of personal data activities in the EU, as well as the applicability of national data protection law, may also raise interesting questions in relation to conflicts of laws and jurisdiction. What must also be kept in mind, however, is that after the GDPR replaces the DPD next May, the ‘One-Stop-Shop mechanism’ (discussed here by the influential Article 29 Working Party) will ensure that any regulatory action in relation to an alleged infringement of data protection law will be driven and overseen by the DPA located in an undertaking’s main EU establishment.

Meaning – after all that – if adopted, AG Bot’s approach on jurisdiction may be short-lived!



Report conference ‘EU Criminal Justice Policy and Practice’, 26 – 27 June 2017

Konstantinos Zoumpoulakis,

Research Assistant at the Institute of Criminal Law & Criminology

The report was originally published on the webpage of the University of Leiden and is re-posted here with the approval of its author and conference organisers.

Leiden Law School had the honor to hold with great success the interdisciplinary conference on ‘EU Criminal Justice Policy and Practice – Reflections and Prospects’ that gathered renowned academics, young scholars and practitioners from all over Europe. During the two days of the Conference, which was organized by Jannemieke Ouwerkerk and Judit Altena, Leiden Law School was the forum of sparkling dialogues and fruitful discussions that covered a great variety of subjects in the field of European criminal justice policies.

The Conference was opened by our Dean Joanne van der Leun, who stressed out the need for a closer collaboration between criminal law and criminology in order to enhance the efficiency of criminal policies. Subsequently, stimulating contributions during the first plenary session addressed the topic of the legislating process in the field of EU criminal law. In particular, the invited speakers Dennis de Jong, Hans G. Nilsson and Thomas Elholm raised important issues that vary from the need for an inter-institutional agreement on the principles of European criminal legislation to the relation between European criminal legislation and increased repression as well as the prospects for decriminalization. The plenary session was followed by a Q&A round, where crucial thoughts and questions were addressed to the speakers.

The main part of the Conference was filled with a series of parallel panel sessions, where a broad spectrum of subjects was covered. Indeed, the discussions were ranging from the need for evidence-based law-making to criminalization principles and the limits to criminalization, the effectiveness of EU criminal law as well the European policy on sanctions. In particular, Valsamis Mitsilegas referred to the potential routes towards decriminalization, especially with regards to the effectiveness of EU criminal law, while Pim Geelhoed argued for a rather innovative cognitive approach on the criminalization of PIF offences. Respectively, an interesting view on the harmonization of legal interests was offered by Jeroen ten Voorde and Tineke Cleiren, while other stimulating contributions varied from  the legitimacy of European criminal law to the breaches of sales contracts as well as the issue of food fraud within the EU. Undoubtedly, the great variety of topics captured the entire discussion around EU criminal justice policies and provided the attendees with valuable input for further reflection. To this end, the interaction in panels between invited senior scholars  and early-career scholars, who were given the opportunity to present and support their ideas, led to vivid discussions.

The Conference was concluded by a second plenary session on the future of EU criminal justice policies, where two significant speeches from Nick Tilley and Nina Peršak were delivered. In particular, the former raised the need for a realistic approach for crime prevention purposes, while the latter argued for the philosophical underpinnings of EU criminal law as well as its prospects. Finally, on behalf of the organizers, Jannemieke Ouwerkerk thanked the participants for their intriguing contributions. In brief, it can be claimed with certainty that the Conference provided a great opportunity for significant contributions that will enrich the academic discussions on European criminal justice policies. Hopefully, it may equally trigger any future developments in the field.

Some Thoughts on the Encryption Regulatory Debate

Henry Pearce
Lecturer in Law, University of Hertfordshire, and Doctoral Researcher at the Institute for Law and the Web at the University of Southampton.

This article was originally posted on the UKCLA blog

Debates about the regulation of encryption technologies and surveillance have been around for decades. It is in unfortunate circumstances that these debates have now been thrust back into the public eye. Following the horrifying Westminster attack which occurred on 22nd March 2017 Amber Rudd, the UK’s Home Secretary, has been very vocal in suggesting that in order for the police and security services to be able to effectively investigate and prevent future terrorist acts they must be given access to over-the-top messaging services that utilise end-to-end encryption, such as WhatsApp. (End-to-end encryption services can generally be described as those which allows for conversations to be read only by the sender and recipient of individual messages, meaning that such messages cannot be intercepted and read by a third party.) Her comments appeared to have been driven by the fact that Khalid Masood, the perpetrator of the attack, had used WhatsApp shortly before commencing his appalling actions. In particular, Rudd has claimed it is “unacceptable” that governmental agencies were unable to read messages protected by WhatsApp’s end-to-end encryption, and in an interview given to the BBC on Sunday 26th March, intimated that she would consider pursuing the enactment of new legislation which would require the providers of encrypted messaging services to grant access to the UK intelligence agencies. This sentiment has since broadly been endorsed by the UK government. Continue reading “Some Thoughts on the Encryption Regulatory Debate”

Rape victims “raped all over again” during gruelling cross examinations

Chloe Jones
LLB Student at the University of Hertfordshire

Cross examination refers to the questioning of a party or witness during a trial, hearing or deposition by the opposing party whom require the person to testify, to enable them to evaluate the truth and reliability of their testimony, often to enable them to develop it further. The questions during cross-examination are limited to the subjects covered in the direct examination of the witness. Leading questions may be asked and a strong cross-examination can force contradictions and expressions of doubts. Cross examination on victims can be extremely difficult and personal, often involving reliving emotional periods of their lives. This particularly runs true to those involved in crimes of a sexual nature, such as sexual assault and rape. Continue reading “Rape victims “raped all over again” during gruelling cross examinations”

Reflections on visits to the Houses of Parliament and UK Supreme Court

Claire Chok Mann and Cheska Tatiana
LLB Students at the University of Hertfordshire


Reflections on the Houses of Parliament


Sir Charles Barry’s magnum opus truly captures the monumental culture and history of the United Kingdom. His romantic vision of a gothic palace manifested before our eyes. The Palace of Westminster; his crowning achievement. An air of excitement with a mixture of gasps and clicks of the camera hung in the air. The art connoisseurs and aesthetician amongst us law students, started to comment on the fine art and sculptures, which were interlaced with building’s grand architecture.

A word of advice, have a hearty meal and ensure that your photo-taking device is fully charged before you start on your adventure. Continue reading “Reflections on visits to the Houses of Parliament and UK Supreme Court”