Data Protection Law: Update: Responsibility of the administrator of a Facebook fan page under data protection law
On 5 June 2018, the European Court of Justice (ECJ) decided that the creation of a Facebook fan page established responsibility on the part of the fan page administrator (Case No. C-210/16, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holdstein GmbH). Accordingly, Facebook and the fan page administrator are jointly responsible for compliance and must therefore conclude an agreement to determine the division of responsibilities in accordance with Art. 26 of the General Data Protection Regulation (GDPR).
In addition, the persons considered and the data protection agencies are not limited to make claims on the basis of data protection regulations against Facebook only, but can also directly make claims against the respective fan page administrator. There is a risk that against the fan page administrator warnings, prohibition orders and fines may be invoked.
These legal risks increased on 5 September 2018 with the adoption of the resolution by the Germa Data Protection Conference (DPC – DSK), the Committee of Independent Federal and Laender Data Protection Authorities. The full text of the resolution (only available in German) can be found here.
The most important questions arising in relation to the resolution are answered below:
1. What does the DPC resolution cover?
First, the DPC noted that Facebook has not changed its general practice, despite the judgment of the ECJ: it still used cookies with identifiers, even for people who didn’t have a Facebook account, when these people went beyond the homepage of the fan page and retrieved content. In addition, fan page visits were still being evaluated according to specific, sometimes predefined criteria as part of the “insights” function and these evaluations were still being made available to website operators.
The DPC further criticised the fact that Facebook had not yet established an agreement with fan page administrators on joint responsibility for data processing.
Administrators were also taken to task. The DPC emphasised that it is illegal to set up a fan page, such as using Facebook, without an appropriate agreement on the division of responsibilities in place. Both parties (Facebook and the fan page administrator) needed to provide greater clarity on this situation and make the necessary information available to visitors to the fan page as data subjects. The DPC again pointed out that data subjects could assert their rights under the GDPR (e.g. right to information) against the administrator of the fan page, too.
In this respect, the DPC established a list of questions that both Facebook and the fan page administrator had to be able to answer. These covered, for example, how the responsibilities were shared between the administrator and Facebook, the purpose and legal basis of the processing of personal data, how the key aspects of the agreement about their shared responsibility would be made available and how the protection of the rights of data subjects would be ensured.
2. How did Facebook react?
In reaction to the DPC resolution, Facebook supplemented their general terms and conditions on the use of “Insights” with a “Page Insights Controller Addendum”.
In this Addendum, Facebook repeats the assessment of the ECJ and explains that, although the fan page administrator is jointly responsible, together with Facebook Ireland Ltd, for the processing of insights data, Facebook takes primary responsibility for the processing of this data and for compliance with all applicable obligations under the GDPR.
Facebook then confers upon the controller of the fan page the obligations to ensure that they have the legal basis for the processing of Insights, to identify the data controller of the page and to otherwise comply with all applicable legal obligations. In addition, administrators must comply with their reporting obligations (for more information see below under point 5).
To the extent that the fan page is used or accessed for business or commercial purposes, all legal actions in connection with Insights are to be subject to the laws of Ireland and fall under the jurisdiction of the Irish courts.
The full Addendum can be found here.
3. What must be in an agreement about joint responsibility?
According to Article 26 of the GDPR, the two controllers, who are jointly responsible for the processing, must determine, in a transparent manner, their respective responsibilities for compliance with the obligations under data protection law. This relates, in particular, to the exercise of rights by data subjects and the duty to provide information.
4. Should I shut down my Facebook fan page?
It is still not necessary to immediately shut down any Facebook fan pages. However, it should be kept in mind that it is practically impossible to ensure that the operation of a fan page will be 100% legal at the moment. At the same time, implementing certain measures can reduce the risk that consumer protection organisations or supervisory authorities will become involved.
It remains to be seen whether or not the German Federal Court of Justice (Bundesgerichtshof - BGH) will find that the processing of personal data as part of the general use of Facebook constitutes a breach of data protection law. If this is the case, further action will be required, especially from Facebook.
5. What actions should fan page administrators take?
a) Designate a responsible body / Data Protection Officer
The fan page controller must name the body that is responsible for the processing. This will normally be the controller itself, so that its name and contact details (postal address, email and/or telephone number) must be provided. To the extent that the controller has also appointed a data protection officer, the contact details of this officer should also be provided.
b) Designate the legal basis
Moreover, the fan page administrator must specify the legal basis for the processing of Insights data. Two possible approaches can be considered.
The controller could rely on a legitimate interest (Article 6 para. 1 f) GDPR), because Insights provide an understanding of the visitor structure, which enables administrators to adjust website content in order to make it more relevant and increase user satisfaction. This in turn can increase the reach of the fan page and the number of users, which can yield economic or other perceived benefits for the fan page controller. With numerous discussions and articles in the media, it can reasonably be assumed that users expect their data to be used for the purposes of analysis every time they use Facebook.
Supervisory authorities, however, have taken a narrower view; they consider that such tracking measures require the consent of the data subject.
At present, it is not technically possible for an administrator of a Facebook fan page to gain this consent, as the administrator does not have the possibility of explaining the internal processing activities of Facebook to the user before that processing begins.
Neither approach can therefore guarantee legal security for the operation of a fan page. In light of the fact that it is de facto impossible for the administrator to obtain the informed consent of the user, it seems advisable to instead use Article 6 para. 1 f GDPR as the legal basis for processing. As an administrator of a fan page can use Insights for economic and other perceived benefits and users assume that their data will be processed, this appears, for the time being, to be a sensible approach. In the case of dispute, a court would have to clarify whether the strict interpretation of the supervisory authorities applies at all.
For those fan page administrators, who would rather not accept the remaining risk that measures might be imposed by the supervisory authority, the only other alterative at the moment is to (temporarily) deactivate the fan page.
If a data subject or a supervisory authority contacts the fan page administrator about the processing of Insights data and the obligations assumed by Facebook, Facebook requires the administrator to forward this request and all information to Facebook within seven days. Facebook has made a specific form available for this purpose.
d) Other information obligations
Facebook makes the “Page Insights Controller Addendum” available to data subjects. In light of the fact that this Addendum must also be easily accessible to non-Facebook users, it is recommended that the fan page controller also provide a link to the Addendum on their fan page. Where available, the fan page should also contain a link to the privacy statement or integrate it into the “our story” section of the fan page.
As Facebook has not fully answered the questions of the DPC, it is not yet clear, how the data protection authorities will proceed. At least with respect to the transparent determination of the respective responsibilities of Facebook and fan page administrators as joint controllers, the “Page Insights Controller Addendum” seems to fulfil the requirements.
Fan page administrators are still faced with the risk of determining a valid basis for the processing of Insights.
Commercial fan page controllers should also bear in mind that Facebook wants to move all legal disputes that arise in relation to Insights to Ireland.
We therefore recommend that controllers implement the measures outlined under point 5 above, in order to minimise their risks under data protection law.
and Mathias Zimmer-Goertz
Christian Frederik Döpke