After another statement by the German Data Protection Authorities (German DPAs) of 5 September 2018 (Statement, available in English here), stating that the operation of a fan page as offered by Facebook was illegal, Facebook reacted “overnight” and released a co-controller agreement, the “Page Insights Controller Addendum” (Insights Addendum, available here). In a press release of 16 November 2018 (Press Release, available in German here), the Berlin Data Protection Authority (Berlin DPA) announced that it has been auditing organisations concerning the use of Facebook fan pages since early November. In this blog, we provide recommendations as to what organisations should do next.

Background

On 5 June 2018, the Court of Justice of the European Union (CJEU) handed down its judgment (Case C-210/16), holding that the operator of a fan page on Facebook is jointly responsible with Facebook for processing the data of visitors to the fan page. Only a day later, the German DPAs released their first statement on the consequences of the judgment, arguing that organisations do not meet data protection standards when operating a fan page on Facebook, leaving marketers in Germany and Europe with lots of uncertainty (for more background, please review our previous blog How big is the risk to operate Facebook fan pages in Germany?). Three months then passed without Facebook providing any solution to the operators of fan pages.

German DPAs reiterate that Facebook fan pages were illegal

In its Statement, the German DPAs noted that Facebook has not yet made any statement on how it plans to enable fan pages to be operated lawfully and criticised the fact that a co-controller agreement has not yet been made available. The German DPAs concluded that operating a fan page as offered by Facebook was illegal and demanded that data protection requirements are fulfilled when operating a fan page. The German DPAs also noted that they are working together with the other European authorities to make a coordinated approach towards Facebook.

Facebook has released Insights Addendum

Only a day after the Statement was released, Facebook made available the Insights Addendum. The Insights Addendum applies to the processing of personal data in connection with the analytics tool Facebook Insights (Insights Data) and provides, in particular, that

  • Facebook Ireland and the operator of a fan page are co-controllers;
  • Facebook Ireland takes primary responsibility under the General Data Protection Regulation (GDPR) for the processing of Insights Data, including information obligations, data subject rights, data security and notification obligations in case of a data breach;
  • The operator must ensure having a legal basis for the processing of Insights Data under GDPR;
  • The operator must forward requests by data subjects and supervisory authorities relating to Insight Data to Facebook within seven days;
  • Irish law and venue applies;
  • Facebook may change the Insights Addendum.

Comment

The Insights Addendum clearly is a step in the right direction. The status of illegality as described by the German DPAs by not having a co-controller agreement at all is over. As required in Article 26 (1) GDPR, the Insights Addendum determines the respective responsibilities of both co-controllers. However, there are also various uncertainties regarding the Insights Addendum.

For example, the Insights Addendum only applies to Insights Data, but not to other processing activities on fan pages, such as sharing, liking or posting. The statements of the German DPAs suggested that the co-controller agreement should cover all processing activities in connection with a fan page. The German DPAs might, therefore, request improvement in this regard. It also remains to be seen if supervisory authorities will require a deeper level of detail, in particular regarding the obligation of each co-controller.

A main concern with the Insights Addendum is that it establishes that the operator of the fan page (and not Facebook) must ensure they have a legal basis for the processing of Insights Data. The German DPAs recently stated that tracking and profiling cookies require prior opt-in consent (more on our blog here). It is not clear how operators shall obtain opt-in consent on a fan page, and Facebook has not yet provided a solution for it.

It is also still unclear how the CJEU case law applies to other providers, such as Twitter. It seems likely that supervisory authorities might also regard these processing activities as a co-controller scenario.

Berlin DPA audits organisations

The Berlin DPA announced in its Press Release that it has been auditing organisations that are operators of Facebook fan pages since early November. In the Press Release, the Berlin DPA raises concerns over whether the information provided by Facebook (including the information provided in connection with the release of the Insights Addendum) is sufficient for organisations to fulfil their accountability obligations relating to the processing activities on a Facebook fan page.

The Berlin DPA has sent the following questionnaire to organisations (Questionnaire):

  1. Did you conclude the Insights Addendum? If yes, how did you conclude the Insights Addendum?
  2. What is the main agreement that the Insight Addendum amends?
  3. Is the Insights Addendum a co-controller agreement within the meaning of Article 26 (1) GDPR?
  4. Which specific processing activities does the Insights Addendum regard as co-controllership?
  5. Which data does the term “Insights Data” cover?
  6. Which processing activities for which purposes does the Insights Addendum cover?
  7. How do you make available the essence of the Insights Addendum to data subjects?
  8. Which information did Facebook provide on the processing of personal data of fan page visitors? Do these information allow you to fulfil your GDPR obligations, in particular your accountability obligation?
  9. How is personal data of fan page visitors processed?
  10. What is the legal basis of processing of personal data of fan page visitors?
  11. How are data subjects informed about the processing activities on your fan page?
  12. How are data subject rights implemented, in particular the right to deletion, the right to restriction and objection to processing and access rights?
  13. How does Facebook fulfil data subject requests? How did you review if Facebook has implemented procedures to fulfil data subject right requests?
  14. Are entries for non-members in the so-called local storage created when a fan page is visited for the first time?
  15. For what purposes and on what legal basis are cookies stored after a subpage within the fan page has been called up?

What should organisations do now?

Facebook does not yet provide a fully compliant solution. Organisations should thus consider the following actions to come at least as close as possible to full compliance:

  • Operators should (passively) accept the Insights Addendum for now. Facebook does not clearly provide information on how the Insights Addendum becomes part of the agreement between Facebook and the operator of the fan page. Article 26 GDPR does not require a specific form for concluding a co-controller agreement. It seems likely that (i) Facebook will notify existing operators and the Insights Addendum shall be deemed accepted by the continuous use of the fan page (see further information provided by Facebook here), and (ii) new operators will accept the Insights Addendum as part of the registration process.
  • Operators should provide information on the processing activities concerning their fan page to the data subjects. They can provide such information (i) directly on their fan page, e.g. under “Info” or “About”, or (ii) in their privacy policy on their own website and provide a link to the privacy policy. Article 26 (2) GDPR also requires making available the essence of the arrangement between the co-controllers to the data subject. Operators should thus include a link to the Insights Addendum in the information wording on their fan pages.
  • Operators should request information from Facebook in order to answer the Questionnaire.
  • Operators should try to negotiate a limitation of liability with Facebook. The Insights Addendum does not provide a provision on the liability of the operator.

This is only a first aid kit. The German DPAs have not yet published a full reaction to the Insights Addendum. Supervisory authorities from other member states have also not been active in the aftermath of the CJEU decision on fan pages. Organisations should thus monitor further developments and actions taken by supervisory authorities.

Organisations should also monitor developments concerning other platforms (such as Twitter) as well and at least inform users on processing activities on such platforms.