Companies and public authorities with a fan page on Facebook share data responsibility with Facebook. Facebook’s violation of EU data protection rules may also affect the administrator of the page in question, who may be subject to sanctions for the violation.
Read lawyer Hans Sønderby Christensen’s article published on Wednesday, September 19, 2018, on Jyllands-Posten’s website here.
The EU Court of Justice has recently established that Facebook, companies, and public authorities that administer a fan page on Facebook have a shared responsibility to comply with EU data protection rules in connection with the processing of personal data collected in connection with visits to the administrator’s fan page.
The judgment arises from a dispute between the German educational institution Wirtschaftsakademie Schleswig-Holstein GbmH (hereinafter Wirtschaftsakademie) and Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (hereinafter ULD), which is the regional authority in Schleswig-Holstein that supervises compliance with EU data protection rules.
Wirtschaftsakademie had created a fan page on Facebook from which the company offered educational programmes. Using the tool “Facebook-Insights”, the company received statistical information about the users who visited the fan page. In 2011, ULD issued an order to Wirtschaftsakademie to deactivate its fan page on Facebook. The reason was that neither Wirtschaftsakademie nor Facebook informed the visitors to the fan page that Facebook was collecting their personal data using cookies and subsequently processing the information. ULD considered this to be in violation of EU data protection rules. Wirtschaftsakademie, on the other hand, did not believe that the company was responsible for Facebook’s collection and subsequent processing of the information.
The Bundesverwaltungsgericht (hereinafter the Federal Court of Justice) in Germany, where the case is now pending, decided to postpone the case and submit preliminary EU legal interpretation questions to the EU Court of Justice. A central question that the EU Court of Justice had to clarify in this connection was whether an administrator of a fan page on Facebook should be considered a data controller under EU data protection rules.
The EU Court of Justice initially noted that EU data protection rules define a data controller broadly as a natural or legal person, public authority, institution or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The phrase “alone or jointly with others” indicates that there may be several data controllers who share responsibility. The significance of being a data controller is that one is responsible for ensuring that EU data protection rules are complied with. This includes, among other things, that in certain cases consent must be obtained to process personal data.
The EU Court of Justice established that Facebook can undoubtedly be considered a data controller as referred to in EU data protection rules. It is primarily Facebook that determines the purposes and means of processing users’ personal data.
The EU Court of Justice noted that in order to answer the question submitted, it should be examined whether and to what extent the administrator of a fan page on Facebook, such as Wirtschaftsakademie, contributes to determining the purposes and means of processing users’ personal data. And thus, whether the administrator of a fan page should also be considered a data controller as referred to in EU data protection rules.
The creation of a fan page on Facebook implies that the administrator signs the terms of use of the fan page. This includes the associated policy on the use of cookies. When a user visits a fan page, Facebook stores cookies on the user’s PC, tablet, smartphone or other medium. These cookies are active for two years, unless they are deleted. Via cookies, it is possible for Facebook to collect personal data about users and observe users’ habits online. This is also known as “web tracking”.
Using the Facebook-Insights tool, which Facebook makes available free of charge, the administrator of a fan page can receive statistical information about the users who visit the fan page. Including their age, gender, relationship status and work. In addition, the tool also gives the administrator the opportunity to receive information about users’ online trends. For example, about their habits, lifestyle, areas of interest and purchasing behaviour. The statistics are prepared by Facebook, but the administrator of a fan page has the option of customising which information and people they want to receive statistical information about by ticking a box. Companies can use the information for commercial purposes with a view to, for example, tailoring their communication and marketing to specific target groups and carrying out specific sales promotions.
The EU Court of Justice concluded that, based on these circumstances, the administrator of a fan page on Facebook contributes to determining the purposes and means of processing personal data about the users who visit the company’s fan page. In particular, the EU Court of Justice emphasised that the administrator of a fan page, by using Facebook-Insights, can request to receive – and thus that there is processing of – personal data about the users who visit the fan page. Just as the administrator can specifically define the personal data that they want processed via ticking a box.
In the specific case, the EU Court of Justice established on that basis that the administrator, Wirtschaftsakademie, together with Facebook should be considered a data controller as referred to in EU data protection rules. As a result, Wirtschaftsakademie, together with Facebook, is responsible for ensuring that the processing of personal data on the users who visit the company’s page meets the conditions for being in accordance with EU data protection rules. For example, such information must not be processed under the rules without the user in question being informed in advance and giving their consent.
Although the specific case concerns the Data Protection Directive, which on May 25 of this year was replaced by the General Data Protection Regulation, the judgment will also have significance for the future application of EU data protection rules. The basic provisions in the Data Protection Directive on data controllers have namely been carried over unchanged in the General Data Protection Regulation.
The Data Protection Agency, which is the authority in Denmark that supervises compliance with EU data protection rules, has, in extension of the specific judgment, recommended that companies and public authorities that administer a fan page on Facebook ensure that they enter into an agreement with Facebook on the terms for the division of responsibility with Facebook.