On 5 June 2018, the Court of Justice of the European Union (CJEU) handed down its long-awaited Facebook fan page judgement (Case C-210/16), holding that the operator of a fan page on Facebook is jointly responsible with Facebook for processing the data of visitors to the page. Only a day later, the Conference of German Data Protection Authorities (German DPAs) released a statement, titled ‘Time is up for not being responsible’ (Statement, available in German here), arguing that organisations do not meet data protection standards when operating a fan page on Facebook. Marketers in Germany and Europe are now uncertain whether they should take down their Facebook fan pages and any other social media presence. In this blog, we provide you with a first interpretation and a ‘first aid kit’.
Background
Wirtschaftsakademie Schleswig-Holstein GmbH (Wirtschaftsakademie) operates a Facebook fan page and was ordered by the Schleswig-Holstein Data Protection Authority to deactivate the fan page. Neither Facebook Ireland Ltd nor Wirtschaftsakademie had been informing visitors of the functioning of cookies and subsequent processing of their data. Wirtschaftsakademie took this case to court, arguing essentially that it was not responsible for the processing of data by Facebook or cookies installed by Facebook.
CJEU decision
The CJEU ruled that the operator of a fan page hosted on a social network must be considered a ‘data controller’.
The court began by noting that the concept of controller must be defined broadly as an entity that alone or jointly with others determines the purposes and means of the processing of personal data. It observed that, for the European Union, Facebook Ireland must be regarded as controller responsible for the processing of personal data of Facebook users and persons visiting the fan pages hosted on Facebook.
Next, the CJEU stated that the operator of a fan page hosted on Facebook is also a (co-) controller. The operator contributes to the processing of the visitors’ personal data by defining parameters in the creation of the fan page. In particular, the operator can request the processing of demographic data relating to its target audience (for example, age, sex, information on lifestyle and interests) and geographical data that allow the operator to target best the information it offers.
The case has now been referred back to the German Federal Administrative Court, which will decide whether the specific use of Facebook fan pages by Wirtschaftsakademie was compliant.
German DPAs argue fan pages violate GDPR
On 6 June 2018, the German DPAs released the Statement and noted that the CJEU decision has direct consequences for fan page operators, which cannot rely on Facebook being solely responsible for the data processing.
According to the German DPAs, the operators must comply with the applicable provisions in the General Data Protection Regulation (GDPR), specifically the following obligations:
- The operator must provide information on processing activities by Facebook and by the operator itself transparently and in an understandable form.
- The operator must ensure that Facebook provides the relevant information to enable the operator to fulfil its information obligations.
- The operator must obtain opt-in consent for tracking visitors to a fan page (e.g., by using cookies or similar technologies).
- The operator must enter into a co-controller agreement with Facebook.
The German DPAs conclude that there is an urgent need for action by fan page operators and that they are aware that such operators can only fulfil their data protection obligations if Facebook provides a compliant product. The Statement addresses only operators of fan pages that are addressed to German users – for now.
The Statement is a surprisingly strong call for action – for Facebook and fan page operators. In a press release issued on 8 June 2018 (available in German here), the Schleswig-Holstein Data Protection Authority stated that Facebook had not yet reacted to the CJEU judgement and offered a co-controller agreement.
The intention of the German DPAs of publishing this Statement is not entirely clear, but it could be understood as a major warning that they will start enforcing it and issuing fines (rather soon, given the use of phrases such as “time is up”, “direct consequences for operators” and “urgent need for action”). The Statement does not directly request all organisations to shut down their Facebook fan pages. However, the North Rhine-Westphalia Data Protection Authority noted in a recent statement that it currently reviews – as do other German and European supervisory authorities – “when and how” (not ‘if’!) it will enforce privacy rights on fan pages.
What should organisations do?
The reaction of organisations to the CJEU judgement and the German DPAs’ Statement ultimately depends on how Facebook will react, in particular, on whether it will provide a co-controller agreement, more transparent information on data processing and a compliant opt-in consent procedure for fan page cookies.
Facebook has not yet publicly provided a solution, but did release a general statement that it is currently preparing the necessary steps so that operators of fan pages can comply with data protection law.
In the meantime, organisations – at least those addressing the German market – must come as close as possible to GDPR compliance without Facebook’s support. The following actions could be considered:
- If an organisation does not operate a fan page or the fan page is not highly significant for marketing activities, the organisation should refrain from creating any additional fan page or shut down its existing fan page until the situation is clearer.
- All other organisations should try to implement the obligations set forth by the German DPAs in the Statement as much as possible. This could include, for example:
- Providing at least basic information regarding data processing by Facebook on fan pages based on publicly available information by Facebook;
- Providing at least a link to cookie consent tools, such as http://www.youronlinechoices.com/de/praferenzmanagement/, to enable users to opt out; implementing a sufficient procedure to obtain opt-in consent can only be provided by Facebook;
- Requesting that Facebook provide information and support as required by the German DPAs (a cookie consent procedure and co-controller agreement);
- Sending a co-controller agreement to Facebook, stating that it should be deemed accepted if Facebook does not respond;
- Including in their privacy policy the option for users to ask to see the aforementioned organisation’s request to Facebook.
Organisations should be aware that the information contained here is a first aid kit only and that the situation must be monitored. There remains the possibility that German DPAs will take action if Facebook does not offer a solution in the next few days.