GDPR Meets ISS: How Courts Are Interpreting Data Controller Roles
The General Data Protection Regulation (GDPR) has reshaped how courts interpret data controller roles, particularly in cases involving joint controllership and platform liability. This article delves into key rulings, analyzing how legal frameworks are evolving to address complex data governance challenges in an interconnected world.
The intersection of the General Data Protection Regulation (GDPR) and Information Society Services (ISS) continues to present complex legal challenges, particularly around the concept of data controllership. The GDPR defines a controller as the entity that determines the purposes and means of processing personal data. Yet when digital platforms—many of which qualify as ISS—interact with users and third-party content providers, the lines of responsibility blur.
/wp:paragraph wp:paragraphRecent case law from the Court of Justice of the European Union (CJEU) has significantly expanded the interpretation of joint controllership, placing new obligations on platform operators, website owners, and service providers engaged in collaborative data processing. Below, we explore key judgments and their implications for platform accountability.
/wp:paragraph wp:headingFacebook Fan Page Case (C-210/16): The Birth of Joint Controllership
/wp:heading wp:paragraphIn Wirtschaftsakademie Schleswig-Holstein v Facebook Ireland, the CJEU held that an administrator of a Facebook Fan Page was a joint controller together with Facebook for the processing of visitor data. The administrator used Facebook Insights, a tool that provides anonymized statistics about user engagement.
/wp:paragraph wp:paragraphKey Findings:
/wp:paragraph wp:list- Even though the page administrator could not access personal data directly, the CJEU found that it influenced the purposes and means of data processing by configuring the page and selecting target demographics.
- The decision introduced a broad and functional definition of joint controllership, emphasizing actual influence over data use, not just access.
Implications:
/wp:paragraph wp:list- Organizations embedding third-party services or analytics tools on their websites may be jointly liable for data processing.
- ISS providers offering configurable services (such as page customization, advertising preferences, or tracking settings) must assess joint responsibilities under Article 26 GDPR.
Fashion ID Case (C-40/17): Social Plugins and Shared Responsibility
/wp:heading wp:paragraphIn Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW, the CJEU addressed whether a website that embeds a Facebook “Like” button is a joint controller for the transmission of personal data to Facebook.
/wp:paragraph wp:paragraphKey Findings:
/wp:paragraph wp:list- The operator of a website is a joint controller for the collection and transmission of personal data (such as IP addresses and browser information) to Facebook.
- The operator is not a controller for subsequent processing carried out solely by Facebook.
Implications:
/wp:paragraph wp:list- This ruling highlights the granular nature of joint controllership, limited to specific stages of data processing.
- Websites using embedded tools must disclose data transfers in their privacy notices and, where required, obtain valid consent for third-party data collection.
Jehovan Todistajat Case (C-25/17): Offline Application of Joint Controllership
/wp:heading wp:paragraphAlthough not focused on an ISS, the Jehovan Todistajat case further solidified the broad scope of joint controllership. Members of the religious community collected personal data during door-to-door preaching without formal documentation or centralized storage.
/wp:paragraph wp:paragraphKey Findings:
/wp:paragraph wp:list- The religious community and individual members were joint controllers under GDPR, even without formal coordination or access to the full dataset.
- The Court emphasized the importance of common purposes in establishing controllership, even where technical means are fragmented.
Implications for ISS:
/wp:paragraph wp:list- Platforms and affiliates working together—even informally—on user data collection can be jointly liable.
- Informal or decentralized processing structures do not shield entities from joint controllership obligations.
Bundeskartellamt v Meta (Case T-201/22): Competition Meets GDPR
/wp:heading wp:paragraphAlthough still under judicial development, the German competition authority’s case against Facebook (now Meta) challenges the excessive data collection practices under both GDPR and competition law. The CJEU will need to clarify whether platform dominance and user consent interact under data protection principles.
/wp:paragraph wp:paragraphEmerging Trend:
/wp:paragraph wp:list- Courts and regulators are increasingly treating platform-wide tracking and data consolidation across services as potentially abusive or unlawful when not accompanied by informed, freely given consent.
Key Takeaways for ISS Providers
/wp:paragraph wp:list {"ordered":true}- Assess Joint Controllership Proactively
Any collaboration involving shared tools, plugins, or analytics features can create joint responsibilities. Formalize arrangements and clarify roles through contracts and privacy policies. - Segment Processing Phases
Liability may apply only to certain stages of processing. Clearly identify where your organization initiates or contributes to data collection and transfer. - Strengthen Transparency and Consent Mechanisms
Embedding third-party tools? Disclose them prominently and obtain user consent where legally required—especially for marketing and profiling. - Implement Joint Controller Agreements (JCA)
Under Article 26 GDPR, joint controllers must establish a Joint Controller Agreement, allocating responsibilities and providing a point of contact for data subjects. - Track Legal Developments Beyond Data Protection
Issues of joint controllership now intersect with competition law, consumer protection, and platform regulation. Stay aware of broader legal trends affecting digital services.
Conclusion
/wp:heading wp:paragraphThe CJEU’s evolving case law has firmly established that Information Society Services can share controllership responsibilities with website operators, partners, and even users, depending on the nature of the data interaction. For legal advisors and compliance teams, it is no longer enough to classify a platform as a neutral host. The actual influence over how data is collected and used is now the decisive factor.
/wp:paragraph wp:paragraphAs the regulatory environment grows more complex under the Digital Services Act, ePrivacy Regulation, and ongoing GDPR enforcement, ISS providers must adopt a comprehensive and documented approach to data governance and controller responsibilities.
/wp:paragraph wp:paragraphNeed help reviewing your data processing relationships or drafting GDPR-compliant joint controller agreements? Our data protection team advises platforms and digital service providers across the EU on structuring lawful, transparent data practices. Reach out for a consultation.
/wp:paragraphReady to leverage AI for your business?
Book a free strategy call — no strings attached.
