Facebook and the GDPR: What it means for the affiliate industry

Since the May 25 deadline, there have been two rulings that have helped clarify what a post-GDPR world looks like. As more cases are brought and rulings are given, our understanding of what best practices and future guidance looks like will inevitably deepen.

The first legal case precedes the GDPR, but is shaped within the context of the new data laws and impacts one of the businesses under the most scrutiny: Facebook.

In June 2018, the Court of Justice of the EU (CJEU) ruled the administrators of Facebook fan pages should be viewed as joint-controllers of the personal data processed about the people who access their pages.

Stemming from a 2011 case involving Wirtschaftsakademie - a German educational company - the ruling potentially broadens the scope of which types of activity and businesses could be classified as a controller.

This is important from an affiliate perspective because, prior to the GDPR, there was much industry discussion about whether affiliates are data processors or data controllers. A processor, generally speaking, doesn’t ‘control’ what and how data is used - and as such, is subject to fewer legal obligations than a data controller.

While there is no explicit processor/controller definition for affiliates, the status is based around the various ways that data is used. A company may decide they are a processor for certain things they do, but a controller for others. Regardless, the status isn’t based on what a business would like to be defined as, but how regulators interpret they use data within the framework of the GDPR.

What this ruling seems to suggest is, that while affiliates may have considered themselves processors, regulators will take a different view. According to Out-Law.com, “The judgment represents a significant broadening of the concept of data controllership under EU data protection law."

The ruling aligns with Awin’s view on affiliates. In May, we published our own guidance, concluding affiliates, advertisers and Awin are all joint-controllers in a tri-partite relationship.

“Publishers are already controllers of data processed to acquire their own website users; only they have decided the separate purpose: ‘Let’s get some traffic so they can see the ads we publish.'"  

Another early GDPR ruling has also recently emerged from Germany. Concerning the purpose of processing personal data, a German court has declined US company ICANN’s application for preliminary junction, as it hasn’t provided sufficient proof that collecting certain personal data is necessary to fulfil the purpose of the underlying contract.

The case is based on a contractual relationship ICANN had with German domain registrar EPAG, the latter agreeing to collect personal data from individuals and businesses purchasing domain names.

ICANN requested EPAG hand over certain information for the technical contacts at the companies registering domains. EPAG refused, essentially arguing the data wasn’t necessary to fulfil the purpose of the relationship and was not compliant with the GDPR.

In turn, ICANN took legal action. However, a court in Bonn confirmed EPAG’s position, not having been able to identify the necessity of the additional data for the defined purpose. The decision embodies the GDPR’s core principles of data minimization and purpose limitation, and highlights that compliance with applicable law – in this case the GDPR – prevails over contractual obligations. Further development of this case is expected as ICANN has appealed the decision.

The European Data Protection Board said ICANN also needed to “explicitly justify” why it is necessary to retain personal data beyond the two-year limit outlined under the GDPR, as well as stating that, contrary to the company’s belief, it is a data controller.

Further rulings are expected in the coming weeks and months that will continue to build our understanding about how the new laws are interpreted. Awin is continuing to monitor the situation and will update our advice and guidance based on the outcomes of these cases.

Affiliates and advertisers can refer to the information we’ve supplied on Awin's GDPR portal. Upcoming initiatives the network will be embarking on is continuing to raise awareness about data processing, monitoring and integrating cookie consent tools, and revising our publisher compliance procedures.