I'm reading the judgement. Some caveats apply to the main ruling.

One big one is that this was the Data Protection Directive, so inherently brought to force by Member State law. Also, it (Directive 95/46/EC) was repealed by the GDPR (Art 94).

Thus this case was brought under German Law. The CJEU found that Germany has passed it's own law within the scope of the language of the Directive- not that the Directive necessarily implied the German interpretation.

Example:

A Directive might say "You must drive a car, the type of which may be defined by Member law".

Germany might say "You must drive a Black Volkswagen"

Suppose someone drove a red Volkswagen.

The CJEU might decide that the colour was not within the meaning of the law, although the Marque clearly was.

Importantly, France might specify Renaults. A British Renault driver would be legal in France but not Germany, even though both laws were equally valid.

In this case, German law was allowed to apply because Facebook Germany is a legal entity that based in Germany. If there was no Facebook Germany, then German Law would not apply.

However, the main finding does appear to be universal, to wit that any person who substantively facilitates the collection of data (for example, by hosting something on a Digital Platform), and benefits from that data (for example, by being able to request demographics of users) is a Controller. There is no reason for that to change under the GDPR, where the provisions underlying the logic are similar.

Final observation: the judgement notes that there is no mechanism defined for Supervisory Authorities to co-ordinate- that differs from the GDPR where there is an entire chapter on it.

Looks like I got out just in time.

“While there will be no immediate impact on the people and businesses who use Facebook services, we will work to help our partners understand its implications."

Read the above as saying "We, FB, are not your insurer nor will we indemnify or defend you against claims that are brought."

In other words, you are are your own when it comes to defending yourself or your company . . in whatever nation and in front of whatever adjudicative body asserts jurisdiction over whatever issues arise . . relating to information conveyed via FB's platform.

Can you say "chilling effects"?

What company, in its right mind, wouldn't begin heading for the FB exits until this is sorted out . . by way of indemnification (by FB) OR by clear confirmation by insurance carriers of effective coverage for such claims? (I'm sure most insurance providers are already positioning themselves to assert that such claims are not within the coverage.)

It will be interesting to watch as non-EU nations begin to respond to the cries and demands of their own citizens as notices of alleged wrongs, demands for action and/or claims begin to arrive on foreign shores. The GDPR may give rise to an entirely new version of trade war.

I'm not an expert in international law and treaties but something about what is unfolding suggests that, absent international "data treaties", there is the potential for disruption of information and commercial markets by the likes of the GDPR and emulations thereof.

I could see a non-member nation, with technical savvy and not the best intentions towards the EU and capitalist marketplaces, exploit the GDPR with the intention of disrupting markets. Attack of the bots, version 487 . .

Information, data and privacy "trade war", anyone?

What is that saying about "the road to hell" and "good intentions"?

I suspect there will be a bunch of "Who Me?" litigation in the future. Wonder how fb will move forward considering their TOS lays claim to right/use of content and are responsible for all the cookies, tracking, etc. Can't see the admins having any control of that!

Can't see the admins having any control of that!

I agree, but the EUCJ judgement makes clear that the act of freely choosing to host on a given platform means that you tacitly agree with their policies. Various reasons are advanced, the key one being that otherwise non-users of the Platform are exposed to the Platform by way of your page.

The point is, you could have hosted elsewhere but didn't.

The point is, you could have hosted elsewhere but didn't.

This is exactly the same when you embed adsense (or other ad network) code, or social media buttons, you are jointly responsible for the collection and use of the data that this third-party is doing, even if you are not collecting or transmitting anything yourself.

I suppose the principle is in the same ballpark, but I don't think it's quite the same game.

The Facebook-hosted scenario really needed case-law to "discover" the meaning of the (German-flavoured) Directive. The admin has no real control, and therefore it was debatable if a person without control is a Controller.

When you add code to your own site, you are clearly in control, so are a Controller by default. But you are not the (or even "a") Controller of the third-party data. For example, it would be impossibly to comply with Art 15-20 with regards to the 3rd Party data.

The point here is that you are passing PII to a third party. The only two possible Lawful Bases [gdpr-info.eu] for doing this is Consent (1.(a)) or Legitimate Interests(1.(f)). You can rule out (f) because the Data Subjects' rights clearly override yours in the instance that they object. As such, you need Consent, within the meaning of Art 7 [gdpr-info.eu].

However, the whole cookie thing is not really the purview of GDPR, as is was meant to be dealt with in the ePrivacy Reg, which was delayed.

Forgive me for repeating things I know you know- it's just for completeness of the answer within the thread, and for other readers who have not followed other discussions elsewhere