Shutdown of Twitter usage for companies and public authorities?

The ECJ had already ruled in 2018 that administrators of a Facebook fan page are joint controllers together with Facebook for the processing of personal data of the visitors of this very fan page. Joint controllership occurs when a person, alone or together with others, determines the purposes and means of the processing of personal data. In this regard, the ECJ had explicitly stated that “the mere fact of making use of a social network such as Facebook does not make a Facebook user a controller jointly responsible for the processing of personal data by that network”. Nevertheless, the Court pointed out “that the administrator of a fan page hosted on Facebook, by creating such a page, gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account.” In this way, the operator of a fan page in any case promotes processing of a visitor’s data by Facebook. In addition – the ECJ continues – the creation of a fan page on Facebook allows the definition of parameters by the administrator which has an influence on the processing of personal data by Facebook for the purpose of producing statistics based on visits to the fan page. At least through the possibility of defining the parameters for such analysis function, the fan page administrator is, in the opinion of the ECJ, involved in the decision on the purposes and means of processing the personal data of the visitors to his fan page and is thus a joint controller together with Facebook.

According to Art. 26 GDPR, joint controllers are obliged, in particular, to define among themselves the respective responsibilities for fulfilling the obligations under data protection law in a transparent manner and to reflect the respective functions and relationships vis-à-vis the data subjects. The data subject may, for example, assert his or her rights of access against each of the jointly responsible persons, so that it seems reasonable to assign individual responsibilities within the internal relationship between the joint controllers. According to the State Data Protection Commissioner of Baden-Württemberg, attempts to conclude such agreements with Twitter were without success, so that the data protection supervisory authority only saw the possibility of shutting down and ultimately deleting one’s own Twitter account.

It is already questionable whether users of a Twitter account are jointly responsible with Twitter at all. In any case, in the fan pages decision, the ECJ did not simply accept the fact that the operator of a fan page allowed Facebook to set cookies on the computers or other devices of the visitors to that fan page. Rather, it was only when the account operators were able to make further adjustments in the analysis of the visitors to the respective account that the ECJ affirmed joint responsibility. Thus, account operators of social media services such as Twitter could in any case cite such a missing (or non-adjusted) analysis option in order to escape the requirements following a joint controllership with the social media service.

Finally, another indication of the potential for legally compliant use is currently provided by some of the other national or European supervisory authorities and courts themselves, as they also use Twitter (for example @EUCourtPress by the Court of Justice of the European Union, @CNIL and @CNIL_en by the French data protection supervisory authority and @EU_EDPB by the European Data Protection Board).

This means that the issue of data protection-compliant Twitter use by companies and public authorities and its acceptance by supervisory authorities and courts remains to be observed, at least in Germany.