Does your company have a Facebook fan page?

On June 5, 2018, the European Court of Justice (ECJ) passed an eagerly awaited ruling on the data protection obligations of companies that operate a so-called "Facebook fan page".

This was the background: A company ran a fan page on Facebook. It was a company page like countless others. In 2011, the data protection authority ordered the fan page to be deactivated because Facebook uses cookies to collect personal data from visitors to the fan page without informing them sufficiently.

The data collected is used both by Facebook to improve their advertising system and by the company itself. In some cases, the data is also passed on to "Facebook partners", e.g. Cambridge Analytica.

A company that operates a Facebook fan page receives certain personal data about the visitors to its fan page via the Facebook Insight function, in the form of anonymous statistics that can be used to optimize the company's marketing. When setting up the fan page, a company can define filter criteria according to which these statistics are generated, e.g. a visitor's age, gender, relationship status, professional situation, lifestyle or interests.

In its recent ruling, the ECJ ruled that not only Facebook, but also the company operating the fan page, is legally responsible for data protection. This is remarkable in that the company itself does not actually collect any personal data and the data is collected by Facebook only.

In the view of the ECJ, the company is nevertheless indirectly involved in the processing of the data through the filters selected. This and the creation of a fan page make it possible for Facebook to collect the data in the first place.

This means that both Facebook and the company are considered "controllers" and have a "shared responsibility" towards the visitors to the fan page, although the degree of responsibility and liability can vary depending on the circumstances.

Data protection consequences for fan page operators

What consequences does this have for companies running a fan page on Facebook or in other social media? The answer to this question has not yet been sufficiently clarified, but for the time being, the following rings true:

  1. The ECJ ruling is based on a case that took place between 2011 and 2013, when the General Data Protection Regulation (GDPR) was not yet in force. Nevertheless, due to the principles of data protection law that have remained unchanged since then, it is highly probable that the ruling still applies today.
  2. "Data controllers jointly responsible for processing data" shall, in accordance with Article 26 of the GPDR, define in an agreement how they shall fulfil their data protection obligations. The essential parts of this agreement must be disclosed to the fan page visitors.  This requires the participation of Facebook. However, Facebook does not currently offer an agreement such as this to companies. Operators of fan pages may therefore be acting in a grey area and may be potentially violating the GPDR.
  3. In any case, fan page operators are advised to check their filter settings and reduce them to the extent necessary or even switch them off completely.
  4. Visitors must be fully informed about Facebook's data processing. They should also be informed of the purpose for which Facebook processes their data. However, the difficulty is that this purpose is not fully known. From a legal point of view, it is probably even necessary to obtain fan page visitors' consent in order for Facebook to be allowed to process their data. This applies in particular to visitors who do not have a Facebook user account themselves, as Facebook also collects their data.
  5. The "shared responsibility" is also likely to apply to the installation of social media plug-ins on corporate websites. A case dealing with this question is currently pending before the ECJ.

Risks for companies using Facebook & Co

Conclusion: Without the cooperation of Facebook, the data protection problems appear to be unsolvable. According to a press release by the Saxon Data Protection Officer (www.saechdsb.de), this is also the view of the German data protection authorities. Fan page operators are therefore currently exposed to the risk of fines and claims for damages.

A final word about the Facebook function Custom Audiences, where companies' hashed email addresses are sent to Facebook for comparison and targeted advertising: According to a recent ruling by the Administrative Court of Bayreuth, this requires the consent of those affected.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.