Decision of 25 February 2016 -
BVerwG 1 C 28.14ECLI:DE:BVerwG:2016:250216B1C28.14.0
Please note that the official language of proceedings brought before the Federal Administrative Court of Germany, including its decisions, is German. This translation is based on an abbreviated version of the original decision. It is provided for the reader’s convenience and information only. Please note that only the German version is authoritative. Page numbers in citations have been retained from the original and may not match the pagination in the English version of the cited text.
When citing this decision it is recommended to indicate the court, the date of the decision, the case number and the paragraph: BVerwG, Decision of 25 February 2016 - BVerwG 1 C 28.14– para. 16.
Responsibility for selection under data protection law in multi-tiered provider relationships (request for a preliminary ruling)
A preliminary ruling of the Court of Justice of the European Union (hereinafter: ECJ) is requested on the following questions in accordance with article 267 TFEU.
1. Is article 2 (d) of Directive 95/46/EC […] to be interpreted as definitively and exhaustively defining the liability and responsibility for data protection violations, or does scope remain, under the “suitable measures” pursuant to article 24 of Directive 95/46/EC and the “effective powers of intervention” pursuant to the second indent of article 28 (3) of Directive 95/46/EC, in multi-tiered information provider relationships for responsibility of a body that does not control the data processing within the meaning of article 2 (d) of Directive 95/46/EC when it chooses the operator of its information offering?
2. Does it follow a contrario from the obligation of Member States under article 17 (2) of Directive 95/46/EC to stipulate, in cases where data processing is carried out on the controller’s behalf, that the controller “must … choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out”, that, where there are other user relationships not linked to data processing on the controller’s behalf within the meaning of article 2 (e) of Directive 95/46/EC, there is no obligation to make a careful choice and no such obligation can be derived from national law?
3. In cases in which a parent company based outside the European Union has legally independent establishments (subsidiaries) in various Member States, is the supervisory authority of a Member State (in this case, Germany) entitled under article 4 and article 28 (6) of Directive 95/46/EC to exercise the powers conferred under article 28 (3) of Directive 95/46/EC against the establishment located in its territory even when this establishment is solely responsible for promoting the sale of advertising and other marketing measures aimed at the inhabitants of this Member State, whereas the independent establishment (subsidiary) located in another Member State (in this case, Ireland) is exclusively responsible under the group’s internal division of tasks for collecting and processing personal data throughout the entire territory of the European Union and hence in the other Member State as well (in this case, Germany), if decisions about data processing are in fact taken by the parent company?
4. Are article 4 (1) (a) and article 28 (3) of Directive 95/46/EC to be interpreted as meaning that, in cases in which the controller has an establishment in the territory of one Member State (in this case, Ireland) and there is another, legally independent establishment in the territory of another Member State (in this case, Germany), whose responsibilities include the sale of advertising space and whose activity is aimed at the inhabitants of that State, the competent supervisory authority in this other Member State (in this case, Germany) may direct measures and orders implementing data protection legislation also against the other establishment (in this case, in Germany) not responsible for data processing under the group’s internal division of tasks and responsibilities, or are measures and orders only possible by the supervisory body of the Member State (in this case, Ireland) in whose territory the entity with internal responsibility within the group has its registered office?
5. Are article 4 (1) (a) and article 28 (3) and (6) of Directive 95/46/EC to be interpreted as meaning that, in cases in which the supervisory authority in one Member State (in this case, Germany) takes action against a person or entity in its territory pursuant to article 28 (3) of Directive 95/46/EC on the grounds of failing to exercise due care in choosing a third party involved in the data processing process (in this case, Facebook), because this third party is in violation of data protection legislation, the active supervisory authority (in this case, Germany) is bound by the appraisal of data protection legislation by the supervisory authority of the Member State in which the third party responsible for the data processing has its establishment (in this case, Ireland) meaning that it may not arrive at a different legal appraisal, or may the active supervisory authority (in this case, Germany) conduct its own examination of the lawfulness of the data processing by the third party established in another Member State (in this case, Ireland) as a preliminary issue prior to its own action?
6. Where the possibility of conducting an independent examination is available to the active supervisory authority (in this case, Germany): Is the second sentence of article 28 (6) of Directive 95/46/EC to be interpreted as meaning that this supervisory authority may exercise the effective powers of intervention conferred on it under article 28 (3) of Directive 95/46/EC against a person or entity established in its territory on the grounds of their joint responsibility for data protection violations by a third party established in another Member State only and not until it has first requested the supervisory authority in this other Member State (in this case, Ireland) to exercise its powers?
Sources of law
Federal Data Protection Act BDSG, Bundesdatenschutzgesetz section 3 (7), section 11, 38 (5) Directive 95/46/EC article 2 d), article 4, 17 (2), article 28 (3), (6), article 29 et seqq. Telemedia Act TMG, Telemediengesetz section 12, 13, 15
Summary of the facts
The parties are in dispute about the lawfulness of a data protection order issued by the defendant to the claimant to deactivate its Facebook fan page operated at the third party summoned to attend the proceedings as a party whose rights may be affected (Facebook Ireland Ltd.) (Beigeladene; hereinafter: summoned third party).
The claimant is an education enterprise organised under civil law that fulfils its shareholder’s further education remit - the shareholder being the "Fördererstiftung Wirtschaftsakademie Schleswig-Holstein” financed by the three Chambers of Commerce in Schleswig-Holstein. The claimant advertises the educational courses it offers on a so-called fan page operated at the summoned third party.
On 3 November 2011 the defendant - having heard the claimant - ordered the claimant pursuant to section 38 (5) first sentence of the Federal Data Protection Act (BDSG, Bundesdatenschutzgesetz), to ensure that the Facebook fan page it operated at www.facebook.com/wirtschaftsakademie was deactivated, and threatened to impose an administrative fine in case of failure to comply with the order in due time. The claimant filed an objection (Widerspruch) in due time, arguing basically that it was not responsible under data protection law for the data processing or for the cookies placed by Facebook.
In its decision on the objection dated 16 December 2011, the defendant argued that the responsibility under data protection law of the Wirtschaftsakademie Schleswig-Holstein GmbH as the service provider had been established on the basis of section 3 (3) no. 4, section 12 (1) of the Telemedia Act (TMG, Telemediengesetz) in conjunction with section 3 (7) BDSG. By setting up the fan page, it was argued, the claimant had also actively and intentionally contributed towards the collection of personal user data by Facebook, from which the claimant profited through the user statistics made available by Facebook.
In its statement of claim the claimant argued that it itself did not process personal data. The data processing by Facebook could not be attributed to the claimant. Nor had it commissioned Facebook in the sense of section 11 BDSG, with data processing it controlled or was able to influence. Finally, the defendant had exercised its discretion incorrectly by turning to the claimant and not directly to Facebook.
In its judgment of 9 October 2013, the Administrative Court set aside the order of the defendant.
The Higher Administrative Court dismissed the appeal as being unfounded, stating in essence in its reasons: Irrespective of the possible internal use, the deactivation ordered was to be considered equivalent to a ban on data processing pursuant to section 38 (5) second sentence BDSG. The ambit of section 38 (5) BDSG does not permit this, however, since it provides for a procedure in several steps, the first step merely permitting measures in order to rectify violations established in the collection, processing or use of personal data. An exception only comes into question, it was held, where a data-processing procedure is unlawful in its entirety and where this defect can only be rectified by discontinuing the processing, i.e. if adherence to the step-by-step procedure seems futile when considered objectively. This was not the case in the present context. The reason is that the violations alleged by the defendant could be rectified by Facebook without difficulty. Insofar as the defendant is not responsible for monitoring Facebook (which can remain undecided), it was not entitled to take action against a third party in the sense of article 2 (f) of Directive 95/46/EC instead of against Facebook, diverging from the prescribed procedure.
The order was also considered unlawful because the claimant was not the responsible party in the sense of section 3 (7) BDSG with regard to the data collected by Facebook from the fan page operated, and because an order pursuant to section 38 (5) BDSG could only be issued to the responsible party. Facebook alone decided on the purpose and the means for collecting and processing the personal data used for “Insights”; the claimant merely received anonymised, statistical information.
In its appeal on a points of law the defendant also claims a violation of section 38 (5) BDSG and argued that the court of appeal had made various procedural errors. The defendant now sees the claimant’s violation as being the commission awarded to a provider - here: the summoned third party - that was unsuitable because it failed to comply with data protection law, to compile, make available and maintain an internet presence. The deactivation order was aimed at rectifying the claimant’s violation by prohibiting it to continue using the Facebook infrastructure as the technical basis for its web presence.
16 The legal dispute is to be suspended. It is necessary to request a preliminary ruling from the Court of Justice of the European Union on the questions set out in the operative part of the decision (article 267 TFEU). The questions concern the interpretation of article 2 (d), article 4 (1), article 17 (2) and article 28 (3) and (6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281 p. 31). Since the interpretation of EU law is concerned, the Court of Justice of the European Union has jurisdiction.
17 1. The legal assessment of the action for annulment brought against the data protection regulatory order issued by the defendant has to be based on the material and legal situation at the time of the most recent administrative decision, i.e. the decision on the objection (December 2011). At that time, article 2 (d), article 4 (1), article 17 (2) and article 28 (3) and (6) of Directive 95/46/EC that are relevant in the present context had entered into force, and their implementation period had expired according to article 32 of the same Directive. The Directive and the subsequent amendments were also implemented into national law by the Law Amending the Federal Data Protection Act and Other Laws (Gesetz zur Änderung des Bundesdatenschutzgesetzes und anderer Gesetze) dated 18 May 2001 (Federal Law Gazette (BGBl., Bundesgesetzblatt) I p. 904). The following national provisions form the legal framework of this dispute, and - insofar as relevant here – presently remain in force unchanged:
section 3 (1) and (7), section 11 (1) and (2), section 38 (5) BDSG of 20 December 1990 (BGBl. I p. 2954), as promulgated on 14 January 2003 (BGBl. I p. 66), most recently amended for the period presently relevant by the Act Amending Data Protection Provisions (DSRÄndG, Gesetz zur Änderung datenschutzrechtlicher Vorschriften) of 14 August 2009 (BGBl. I p. 2814).
section 3 (1) and (7) BDSG
(1) “Personal data” means any information concerning the personal or material circumstances of an identified or identifiable individual (the data subject). (…)
(7) “Controller” means any person or body collecting, processing or using personal data on his or its own behalf or commissioning others to do the same.
section 11 (1) and (2) BDSG
(1) Where other bodies are commissioned to collect, process or use personal data, responsibility for compliance with the provisions of this Act and with other data protection provisions shall rest with the principal. The rights referred to in sections 6, 7 and 8 of this Act shall be asserted vis-à-vis the principal.
(2) The agent shall be carefully selected, with particular regard for the suitability of the technical and organisational measures taken by him/her. The commission shall be awarded in writing and shall specify in particular: (…)
The principal shall verify compliance with the technical and organisational measures undertaken by the agent before data processing begins and regularly thereafter. The result shall be documented.
section 38 (5) BDSG
(5) In order to ensure compliance with this Act and other data protection provisions, the supervisory authority may order measures to rectify violations during the collection, processing or use of personal data or technical or organisational irregularities detected. In the event of serious violations or irregularities, especially those connected with a special threat to privacy, the supervisory authority may prohibit the collection, processing or use, or the use of particular procedures if the violations or irregularities are not rectified within a reasonable period contrary to the order pursuant to the first sentence above and despite the imposition of an enforcement fine. The supervisory authority may demand the dismissal of the data protection official if he/she does not possess the specialised knowledge and demonstrate the reliability necessary for the performance of his/her duties.
Regarding the background to the legal dispute, reference is made to section 12 (1) and (3) TMG of 26 February 2007 (BGBl. I p. 179), amended most recently for the presently relevant period by the First Act Amending the Telemedia Act (1. Telemedienänderungsgesetz) of 31 May 2010 (BGBl. I p. 692), which served in part to implement Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201 p. 37).
section 12 (1) and (3) TMG
(1) The service provider may collect and use personal data for the provision of telemedia only to the extent that this Act or another statutory provision referring expressly to telemedia permits such collection or use, or with the user’s consent.
(3) Except as otherwise provided, the provisions in force on the protection of personal data shall be applied, even if the data are not processed automatically.
20 2. The questions referred for a preliminary ruling are significant for the ruling of the Federal Administrative Court and require clarification by the Court of Justice of the European Union. The answer to the questions determines whether the appeal on points of law will be successful, at least in the sense of a remittal.
21 (a) According to section 38 (5) BDSG, the supervisory authority may take measures and issue orders solely in order to ensure compliance with the Federal Data Protection Act and other data protection provisions.
22 aa) The contested order to deactivate the Facebook fan page has to be assessed based on its degree of intervention as a measure prohibiting the use of an individual procedure pursuant to section 38 (5) second sentence BDSG, which is permissible if there are severe violations or irregularities. The order is not unlawful and does not have to be revoked simply because it was not preceded by a demand to rectify violations established pursuant to section 38 (5) first sentence BDSG. An exception has to be made from the sequence of steps which is required by law for reasons of proportionality if the data protection supervisory authority intervenes, where the recipient of the order is unable to rectify the irregularities because he/she has no direct, controlling or formative influence on the data processing that is allegedly unlawful. This is the case according to the findings of the court of appeal that are binding on the Senate (section 137 of the Code of Administrative Court Procedure (VwGO, Verwaltungsgerichtsordnung). The claimant and the summoned third party Facebook Ireland Ltd. both claimed that the collection and processing of the data of visitors to the fan page was performed by the summoned third party alone and that under the user relationship the claimant was unable to legally or substantively shape or influence the nature and extent of the data collection. Assuming that data protection obligations do exist, the claimant’s inability to exercise a direct influence and decide on the nature and extent of the processing of users’ data does also not exclude the application of section 38 (5) BDSG. For the purpose of enforcing data protection law (see also article 28 (3) of Directive 95/46/EC), general authorisation to intervene is not limited to taking action against the “party responsible for the processing” in the sense of article 2 (d) of the above Directive, if and insofar as other data protection obligations exist. The personal scope of the authority to intervene arises here from obligations under substantive law.
23 Assuming the claimant’s responsibility as given, which cannot arise under the national provisions of the Telemedia Act, but, rather, solely under those of the Federal Data Protection Act, the other prerequisites for the order that are also disputed by the parties are ultimately met as well.
24 bb) However, the claimant is not the “person or body collecting, processing or using personal data on his or its own behalf or commissioning others to do the same” (section 3 (7) BDSG) as regards the collection and processing of the user data on its fan page by the summoned third party, or the “person or body which alone or jointly with others determines the purposes and means of the processing of personal data” (article 2 (d) of Directive 95/46/EC).
25 Admittedly, by deciding to set up a fan page on the platform operated by the summoned third party and/or its parent corporation, the claimant objectively gives the summoned third party the opportunity to place cookies and thus obtain data when the fan page is accessed. At least as regards fan page users who are registered at Facebook, there is personal data involved in the sense of article 2 (a) of Directive 95/46/EC, even if such users did not log in to Facebook when accessing the fan page. Where unregistered users are concerned, classification of the ID number assigned by a cookie as being personal data also depends on the requirements to be made of the additional knowledge required in order to identify the person concerned (see in this respect the request for a preliminary ruling made by the German Federal Court of Justice (Bundesgerichtshof) on 28 October 2014 - VI ZR 135/13 - juris).
27 The claimant’s decision to use the Facebook infrastructure for its information and communication services does not make it the person or body which - alone or jointly with the summoned third party - decides on the purpose, conditions and means of the processing of personal data (article 2 (d) of Directive 95/46/EC) or the responsible person or body in the sense of section 3 (7) BDSG. However, as a matter of principle, the legal definition of the “controller” in article 2 (d) of Directive 95/46/EC, which determines the interpretation of section 3 (7) BDSG, has to be given a broad interpretation in the interest of effective privacy protection (see also article 29 of the Data Protection Working Party Opinion 1/2010 on the terms “controller” and “processor” of 16 February 2010, Working Paper 169 [00264/10/DE WP 169]). The functional understanding also leaves scope for the possibility of pluralistic control permitting various degrees of responsibility up to “joint and several” liability (article 29 Data Protection Working Party, loc. cit., Working Paper 169 [00264/10/DE WP 169], 39). The capacity to decide on the purpose and means of the relevant data processing is however a distinctive and crucial element of article 2 (d) of Directive 95/46/EC. A person or body that has no legal or actual influence on the decision as to how personal data is processed cannot be considered responsible for the processing.
28 It is only by abandoning further use of its fan page that the claimant can prevent further processing of users’ data by the summoned third party. However, this does not enable the claimant to exercise a legal or actual influence on whether, how and to what extent the data processing is used by the summoned third party within its own powers and responsibility. Sufficient possibility to influence or even (co-)decision-making powers do not follow from the ability of informational fan pages to enhance the attractiveness of the platform operated by the summoned third party - for users and for the summoned third party’s business activities -, or from the fact that the claimant can objectively glean benefits from the “Facebook Insights” function operated by the summoned third party through the receipt of anonymised data on the use of its fan page.
29 cc) Nor is the claimant the principal commissioning data processing (section 11 BDSG; article 2 (e), article 17 (2) and (3) of Directive 95/46/EC) with regard to the processing of the data of users of its fan page by the summoned third party.
30 Admittedly, a legal relationship does exist between the claimant and the summoned third party with regard to provision of a fan page; in this respect the claimant is a user of the platform operated by the summoned third party. The user relationship does not however mean that the claimant commissioned the summoned third party to collect and process the data of users of its fan page. Such use of data is not a primary or accessory obligation under the fan page user relationship. Owing to the technical particularities of the platform operated by the summoned third party, the claimant is unable to access the relevant data of its users at any point in time. The data processing by Facebook is neither objectively structured by the parties to the fan page user relationship as being the use of data for which they are jointly responsible, nor is it subjectively intended to be a common effort. The fact that when deciding to avail itself of the summoned third party’s platform, the claimant might be aware that the former collects and processes data from fan page users, does not transform the contractual or user relationship concerning the fan page into a relationship for data processing on commission. Data processing on commission results from but does not establish responsibility. The large number of users of the summoned third party’s social network and the therefore expected benefits for the dissemination of one’s own information services exclude the idea that the claimant could have chosen the summoned third party’s platform solely in order to avoid responsibility under data protection law.
31 b) The referring court considers clarification to be necessary as to whether and if so subject to which requirements the powers of supervision and intervention of the data protection supervisory authority can relate solely to the “responsible body” in the sense of article 2 (d) of Directive 95/46/EC (section 3 (7) BDSG) within multi-tiered provider relationships characteristic of social networks, or whether scope remains for the responsibility of a person or body that is not responsible for the data processing in the sense of article 2 (d) of Directive 95/46/EC, with regard to the selection of an operator for its information services. The first question referred focussed on this issue.
32 aa) article 28 (3) second indent of Directive 95/46/EC provides that the supervisory authorities have to be granted effective powers of intervention including the power to order a temporary or definitive ban on processing. Article 24 of the same Directive obliges the Member States to adopt suitable measures in order to ensure the full implementation of the provisions of the Directive. The Data Protection Directive is aimed at effective and comprehensive protection of the right to privacy (article 8 of the European Convention on Human Rights) with a high level of protection (recital no. 2 and 10 to Directive 95/46/EC). In its established case law the Court of Justice of the European Union emphasises the importance of the fundamental right to privacy guaranteed by article 7 of the Charter of Fundamental Rights and of the fundamental right to the protection of personal data guaranteed by article 8 of the same Charter (cf. ECJ, judgments of 7 May 2009 - C-553/07 [ECLI:EU:C:2009:293], Rijkeboer – para. 47; of 8 April 2014 - C-293/12, C-594/12 [ECLI:EU:C:2014:238], Digital Rights Ireland et al - para. 53; of 13 May 2014 - C-131/12 [ECLI:EU:C:2014:317], Google Spain and Google - para. 53, 66 and 74, and of 6 October 2015 - C-362/14 [ECLI:EU:C:2015:650], Schrems – para. 39).
34 cc) Against this backdrop, the first question referred seeks to clarify whether the term “controller” (article 2 (d) of Directive 95/46/EC) also defines the possible addressees of intervention exhaustively, or whether within the context of “suitable measures” under article 24 and “effective powers of intervention” under article 28 (3) second indent of Directive 95/46/EC, scope remains for responsibility under data protection law for the selection of the information services provider.
35 c) The second question referred is aimed at the legal connecting factor for the responsibility for choice in multi-tiered provider relationships that is upstream to the responsibility pursuant to article 2 (d) of Directive 95/46/EC. According to national law, it would be possible to have recourse to selection and verification obligations (section 11 (2) first and fourth sentence BDSG) established by the national legislator in implementation of article 17 (2) of Directive 95/46/EC with regard to data processing on commission (…). The common - and for an analogy possibly sufficient – basic idea is that an information provider should not be permitted to absolve itself of data protection obligations towards users of its information services by selecting a certain infrastructure provider, obligations it would have to honour in the case of a pure content provider. The fact that an information provider on social networks such as that of the summoned third party is simultaneously a user of that network gives rise to a specific risk situation that is not covered by the division of responsibilities under article 2 (d) of Directive 95/46/EC owing to the insufficiently clear division of responsibilities from the perspective of information services users. This applies all the more so where the information services are not directed solely at registered users who are logged-in to the network.
36 However, when interpreting in line with EU law an application mutatis mutandis of the selection and control obligations under section 11 (2) first and fourth sentences BDSG does not come into question where, in reverse conclusion, article 17 (2) of the above-mentioned Directive means that selection and supervision obligations under data protection law may be imposed on an information provider solely where commissioned data processing takes place. Yet the wording does not exclude more extensive obligations being imposed; nor does this imposition generate new or additional conditions under substantive law relating to the lawfulness of the processing of personal data (see in this respect ECJ, judgment of 24 November 2011 - C-468/10, C-469/10 [ECLI:EU:C:2011:777], ASNEF/FECEMD). A reverse conclusion could be indicated by a clear and unequivocal allocation of responsibility to the infrastructure provider alone. In addition, users of infrastructures and platforms remain exempted from the necessity to (indirectly) verify the lawfulness of the data processing by the provider selected.
37 d) If an information provider bears responsibility when it selects its infrastructure provider within multi-tiered provider relationships, then the lawfulness of the data protection order issued in the present context continues to require a breach of such responsibility for selection because the provider selected - in this case the summoned third party – commits a sufficiently severe violation of data protection law when collecting and processing the data of users of the claimant’s information service. This question is disputed between the parties and was not clarified conclusively by the court of appeal. The referring court is unable to clarify the question conclusively on the basis of the factual findings made. An answer to this question also requires clarification of questions no. 3 through 6 posed regarding the jurisdiction of the data protection supervisory authority acting in the present case and of the scope of its investigative powers.
38 aa) It is rightly undisputed by the parties that the collection and processing of the data of users of the fan page operated by the claimant on the infrastructure provider Facebook falls within the territorial scope of application of Directive 95/46/EC, insofar as personal data in the sense of article 2 (a) of that Directive is concerned. The reason is that in addition to the subsidiary Facebook Germany GmbH (having its registered office in Hamburg) that is entrusted with promoting the sale of advertising and other marketing measures aimed at inhabitants of the Federal Republic of Germany, the parent corporation located in the USA, Facebook Inc., also operates the subsidiary Facebook Ireland Ltd. - the summoned third party - located in the Irish Republic, which concedes that it bears exclusive responsibility within the group for the collection and processing of personal data (among other things) throughout the entire territory of the European Union. All persons resident within the territory of the EU who wish to use Facebook have to enter into an agreement with Facebook Ireland Ltd. upon registering (see also ECJ, judgment of 6 October 2015 ‑ C-362/14 - para. 27). Yet the defendant argued that the decision on the nature and extent of the data processing as well as the data processing as such was not undertaken by the summoned third party (Facebook Ireland Ltd.) because the personal data of Facebook users resident within the EU was transmitted wholly or partly to Facebook Inc. servers located in the USA, and was processed there (see also ECJ, judgment of 6 October 2015 - C-362/14 - para. 27).
39 Within the context of determining the body responsible for supervisory and monitoring measures, it is then necessary to clarify the issue raised in the third question referred to the Court of Justice for a preliminary ruling. It is necessary to determine the requirements under which one (of several) establishments of a parent corporation located outside the EU can be considered the “party responsible for the processing” in the sense of article 4 and 2 (d) of Directive 95/46/EC. In particular, it is necessary to clarify whether it is sufficient for one of the establishments within the EU (here: Facebook Ireland Ltd, the summoned third party) to designate itself as being responsible for the data processing throughout the entire territory of the EU although the physical data processing is performed wholly or partly and controlled largely by the parent corporation located outside the EU. If this is affirmed, then details of the decision-making and data-processing structures within the group of companies are irrelevant. Otherwise a different establishment (here: Germany) can be considered responsible, which is subject to supervision and monitoring pursuant to article 28 (6) of Directive 95/46/EC if the data processing does not actually take place within the territory of the EU. In that case, the national court first has to examine details of the decision-making and data-processing structures within the group of companies in order to determine the establishment bearing responsibility.
40 bb) The fourth question referred addresses the division of responsibilities between the authorities supervising data protection in cases where the parent corporation (here: Facebook Inc., USA) operates several business establishments within EU territory, which however have different responsibilities. In its judgment of 13 May 2014 (ECJ, judgment of 13 May 2014 - C-131/12), article 4 (1) (a) of Directive 95/46/EC was interpreted by the Court of Justice to mean that processing of personal data takes place in the sense of the provision, within the context of tasks performed by a business establishment possessed by the party responsible for the processing within the territory of a Member State, where the party performing the data processing establishes a branch establishment or a subsidiary in a Member State in order to promote the sale of advertising space for its data-processing products as well as the sale as such, the activities of such branch establishment or subsidiary being aimed at the inhabitants of that Member State. It is important to clarify whether this reference to a branch establishment in a Member State (here: Germany) with responsibility solely for marketing and sales can be transposed regarding the applicability of the Data Protection Directive and the competence of the supervisory authority to a constellation in which a subsidiary established in a different Member State (here: Ireland) acts – according to the internal assignment of responsibilities within the group - as “the party responsible for the processing” for the entire territory of the EU in relation to third parties. The referring court takes the view that the Court of Justice’s judgment of 1 October 2015 does not provide clarification (C‑230/14 [ECLI:EU:C:2015:639], Weltimmo); that judgment did not concern a constellation involving two legally independent subsidiaries that were internally assigned different material and regional responsibilities by a parent corporation resident outside the territory of the EU. In the constellation presently at issue the matter depends on the scope of the supervisory and monitoring powers of supervisory authorities located in Germany, which relate to the business establishment Facebook Germany GmbH responsible for advertising and marketing, not least owing to the selection of the addressee of measures according to article 28 (3) of Directive 95/46/EC (and/or section 38 (5) BDSG). Irrespective of the appraisal of the lawfulness of the data processing by Facebook, action taken against the claimant could then be in breach of discretionary powers and hence unlawful if the violations of data protection law assumed by the supervisory authority could be cured by taking action directly against the branch establishment Facebook Germany located in Germany.
41 cc) It is disputed between the parties whether and to what extent the processing by Facebook of the data of users of the claimant’s fan page is in breach of (German or Irish) data protection law. The claimant and the summoned third party argued that the supervisory authority responsible for the summoned third party, namely the Irish Data Protection Commissioner, had examined closely and raised no objections against the summoned third party’s data processing as a whole or, in particular, against the functions during the collection and processing of the data of fan page users to which the defendant objected. The defendant takes a different legal view and does not feel bound by the findings and assessments of the Data Protection Commissioner. Question no. 5 referred seeks to obtain clarification whether and to what extent such an independent legal assessment may be treated as a preliminary issue.
42 The statements made by the Court of Justice in its judgment of 1 October 2015 (C-230/14 ‑ para. 51 et seqq.) on determining the applicable law and the competent supervisory authority do not clarify the above question. According to article 28 (1) and (3) of Directive 95/46/EC, each supervisory authority exercises all powers transferred to it within the sovereign territory of its Member State in order to ensure compliance with the data protection regulations in that State. A supervisory authority may not impose penalties outside the territory of its Member State, nor may it take other sovereign measures outside its territorial jurisdiction. Yet the main proceedings concern an order issued to a body situated within own territory, where the lawful nature of the data processing by the summoned third party merely constitutes a preliminary issue. This specifically does not entail sovereign actions against the summoned third party.
43 According to article 28 (6) of Directive 95/46/EC, notwithstanding the applicable national law, each supervisory authority is responsible to exercise, within the territory of its own Member State, the powers granted to it under article 28 (3) of the same Directive. Yet this still leaves doubts as to whether the individual supervisory authority responsible is authorised to conduct an extensive, independent examination and assessment of the conformity with data protection law of data processing performed by a body established in a Member State. However, article 28 et seqq. of Directive 95/46/EC do not confer preferential or exclusive competence for examination and assessment to the supervisory authority responsible for the registered office; nor is the legal assessment of the supervisory authority in a different Member State responsible for the branch establishment deemed to be binding, which would also be problematic regarding the effect of its activities outside its territorial jurisdiction. The so-called article 29 Data Protection Working Party is also charged, amongst others, with contributing towards the uniform application of the Data Protection Directive (article 30 (1) (a) of Directive 95/46/EC). However, it has no competence to make a binding decision on divergent legal assessments made by different national supervisory authorities. Altogether, this might indicate that each supervisory authority may examine and evaluate the compatibility of data processing with data protection law without being bound by the appraisal of the supervisory authority in another Member State that is responsible for the relevant branch establishment, insofar as this is relevant as a preliminary issue for action to be taken within one’s own jurisdiction.
44 dd) Should the supervisory authority acting within its jurisdiction be entitled to conduct an independent examination of the data processing by a business establishment situated in a different Member State, then with regard to article 28 (6) second sentence of Directive 95/46/EC it is important to clarify whether the option available to every supervisory authority there to ask the supervisory authority in a different Member State to exercise its powers can include an obligation to avail oneself of this option. Question no. 6 referred raises this question because the defendant, in its order issued to the claimant, diverges from the assessment of the Irish Data Protection Commissioner in its own evaluation of the preliminary issue of the data protection conformity of the processing by the summoned third party, without however having made a formal request to the Irish authority to exercise its powers against the summoned third party. An order against the claimant for failure to comply with its responsibility for selection, which relates to breaches of data protection law by the summoned third party, would definitely be in breach of discretionary powers if article 28 (6) second sentence of Directive 95/46/EC implicated an unconditional, comprehensive obligation to ask the Irish Data Protection Commissioner to exercise its powers, at least in case of an intended derogation from the Irish authority’s appraisal of the data protection conformity of the data processing by the summoned third party.