Does your organisation have a fan page on Facebook? If so, then you are jointly responsible with Facebook for the processing of personal data relating to visitors on those pages.
This was the headline from a judgment issued by Europe’s highest court (the CJEU) in relation to various questions that were referred to it by Germany’s federal administrative court.
As many organisations do, a reputable German educational provider used a Facebook fan page to share news and other media with Facebook users and visitors to promote its activities. Administrators of Facebook fan pages are provided with anonymous statistical information about visitors to their fan pages through ‘Facebook Insights’ in accordance with Facebook’s terms and conditions. Unique users are identified by Facebook through the use of a ‘cookie’ which is stored on users’ devices for two years.
The CJEU was asked to consider whether the administrator of a Facebook fan page was responsible for the way in which Facebook processes personal data of visitors to fan pages.
The CJEU concluded that Facebook was clearly a “controller” as it determined the purposes for and manner in which personal data relating to Facebook users are processed. However it also concluded that the administrators of fan pages are jointly responsible with Facebook for such processing because they are able to define the parameters by which the anonymised statistics are gathered and presented to them in line with their objectives; for example, defining the demographic profile of a fan page’s target audience based on age, sex, lifestyle, interests and even purchasing habits.
The CJEU stated that an administrator of a fan page that uses the Facebook platform to benefit from associated services cannot exempt it from its obligation to comply with data protection law, otherwise those objectives would be compromised.
Many organisations that use third party platforms such as Facebook do so passively, without giving much thought to how the platform works and how it collects personal data relating to users. This has always been regarded as the “platform’s problem”. However this judgment clearly says otherwise.
In a statement sent to Techcrunch, Facebook commented: “We are disappointed by this ruling. Businesses of all sizes across Europe use internet services like Facebook to reach new customers and grow…we will work to help our partners understand [the ruling’s] implications. We are compliant with applicable European law and as part of our preparations for GDPR, we have further improved our privacy policies, controls and tools to make them clearer.”
If the ICO does not agree that Facebook’s changes are adequate and you operate a Facebook fan page (or any similar page on another platform), the ICO could rely on this judgment and exercise its powers under the GDPR to require you and/or Facebook to:
- comply with the GDPR’s requirements within specific timescales;
- impose a temporary or permanent ban on the processing of personal data through your Facebook fan page; or
- impose a fine.
However given the number of organisations in the UK that operate Facebook fan pages, a reactionary response from the ICO seems unlikely.
Helpfully, the judgment acknowledges that the existence of joint responsibility does not imply equal responsibility. Unhelpfully, it goes on to say this must be assessed with regard to all the relevant circumstances. Given the fact that organisations have no bargaining power when it comes to accepting Facebook’s terms and conditions or control over the technical operation of Facebook’s platform, we would expect the ICO to take a pragmatic approach and perhaps, if it is unsatisfied with the changes that Facebook has made in recent months to its privacy tools, direct Facebook to make further changes.