Skip to: main navigation | main content | sitemap | accessibility page

 
 
 

European court delivers blow for Facebook fan pages

Does your organisation have a fan page on Facebook? If so, then you are jointly responsible with Facebook for the processing of personal data relating to visitors on those pages.

This was the headline from a judgment issued by Europe’s highest court (the CJEU) in relation to various questions that were referred to it by Germany’s federal administrative court.

Facts

As many organisations do, a reputable German educational provider used a Facebook fan page to share news and other media with Facebook users and visitors to promote its activities. Administrators of Facebook fan pages are provided with anonymous statistical information about visitors to their fan pages through ‘Facebook Insights’ in accordance with Facebook’s terms and conditions. Unique users are identified by Facebook through the use of a ‘cookie’ which is stored on users’ devices for two years.

In 2011, one of Germany’s regional data protection regulators ordered the educational provider to deactivate its fan page on the basis that neither they nor Facebook informed visitors about the use of cookies and the processing of their personal data (although the educational provider could only see anonymised data, Facebook could identify particular users). The educational provider objected to the regulator’s order before the German courts, on the basis that it had no control or influence whatsoever over Facebook’s processing operations and that the regulator should have taken action against Facebook instead.

The CJEU was asked to consider whether the administrator of a Facebook fan page was responsible for the way in which Facebook processes personal data of visitors to fan pages.

Judgment

The CJEU concluded that Facebook was clearly a “controller” as it determined the purposes for and manner in which personal data relating to Facebook users are processed. However it also concluded that the administrators of fan pages are jointly responsible with Facebook for such processing because they are able to define the parameters by which the anonymised statistics are gathered and presented to them in line with their objectives; for example, defining the demographic profile of a fan page’s target audience based on age, sex, lifestyle, interests and even purchasing habits.

The CJEU stated that an administrator of a fan page that uses the Facebook platform to benefit from associated services cannot exempt it from its obligation to comply with data protection law, otherwise those objectives would be compromised.

Comment

Many organisations that use third party platforms such as Facebook do so passively, without giving much thought to how the platform works and how it collects personal data relating to users. This has always been regarded as the “platform’s problem”. However this judgment clearly says otherwise.

In a statement sent to Techcrunch, Facebook commented: “We are disappointed by this ruling. Businesses of all sizes across Europe use internet services like Facebook to reach new customers and grow…we will work to help our partners understand [the ruling’s] implications. We are compliant with applicable European law and as part of our preparations for GDPR, we have further improved our privacy policies, controls and tools to make them clearer.”

If the ICO does not agree that Facebook’s changes are adequate and you operate a Facebook fan page (or any similar page on another platform), the ICO could rely on this judgment and exercise its powers under the GDPR to require you and/or Facebook to:

  • comply with the GDPR’s requirements within specific timescales;
  • impose a temporary or permanent ban on the processing of personal data through your Facebook fan page; or
  • impose a fine.

However given the number of organisations in the UK that operate Facebook fan pages, a reactionary response from the ICO seems unlikely.

Helpfully, the judgment acknowledges that the existence of joint responsibility does not imply equal responsibility. Unhelpfully, it goes on to say this must be assessed with regard to all the relevant circumstances. Given the fact that organisations have no bargaining power when it comes to accepting Facebook’s terms and conditions or control over the technical operation of Facebook’s platform, we would expect the ICO to take a pragmatic approach and perhaps, if it is unsatisfied with the changes that Facebook has made in recent months to its privacy tools, direct Facebook to make further changes.

What should you do for now? If you have a Facebook fan page but rarely share anything through it and have a low level of engagement, you may consider whether it is worth keeping it in the first place! However if your Facebook fan page is a central part of your marketing efforts, you should keep a close eye on Facebook’s response to the judgment and perhaps take greater steps to draw the attention of visitors to Facebook’s Privacy Policy and Cookies Policy.

The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.

Categories: GDPR | Commercial | For Business | Digital Media & Technology

Meet The Author

Navigation

Taxonomy Selection

 

To find out how we can help you or your business, get in touch.

Give us a call:

0117 906 9400

 
 
 
  • This field is for validation purposes and should be left unchanged.