Facebook fan page operations might lead to considerable privacy compliance issues for companies running them after a recent decision of the ECJ.
What had happened?
On 5 June 2018, the European Court of Justice (ECJ) issued a controversial decision on the interpretation of the EU Directive 95/46(which is the predecessor of the GDPR), namely on the extent of the definition of “data controller“, which may lead to the attribution of new responsibilities to Facebook fan page administrators. The question submitted to the ECJ originates in 2011 when the German data protection authority issued an order to shut down a Facebook page run by a company to advertise its services, due to a violation of data protection rules by the administrator (i.e. the company running it) of the Facebook page. More specifically, the page used a tool provided by Facebook (Facebook Insight), which collected data of the visitors of the page via cookies. This feature was part of Facebook’s terms of service, but, according to the German DPA, neither Facebook nor the administrator of the page had properly informed the users that their personal data were being collected and processed for such purposes.
The case was then brought before the relevant administrative courts in Germany, and eventually the question was referred to the ECJ for a preliminary interpretation of the provisions of the Directive. In particular, the national judges asked whether article 2 (d) of the Directive could be interpreted in such a way that a subject different from the “data controller” stricto sensu could be held liable for violations of data protection laws.
In order to answer this question, the Court considered the role of the administrator of the Facebook fan page and to what extent he is actually able to “determine the purposes and means of the processing of personal data” of the visitors of the page, together with Facebook itself.
The decision of the ECJ on the privacy role of Facebook fan page admins
In its reasoning, the ECJ held that the processing of users’ personal data via cookies, on the one hand benefits Facebook, which is able to improve its advertising system thanks to the analysis of the browsing data of its users but, on the other hand, this feature is also beneficial to the administrators since through Facebook Insight they can have access to statistics and data on the visitors of the page such as their interests and profiles, thus enabling them to better advertise their page, for example by providing contents and features which are more in line with the profiles of the users or setting filters and parameters in order to define their “target users“.
Moreover, the judges stressed that Facebook fan pages can be accessed not only by Facebook users, but also by other subjects who do not have a registered account. In this case, according to the ECJ, the liability of the administrator is even more important, since the mere consultation of a Facebook fan page by a user, whether or not he has a Facebook profile, amounts to processing of personal data, and there is therefore a specific need for protection.
Based on the above, the ECJ held that the administrator of a Facebook fan page, actually contributes to the determination of the means and purposes of processing of users’ personal data. Therefore, in order to ensure a complete and effective protection to the rights of the fan page visitors, it is necessary to recognise a “joint responabilility” of the administrator of the page and the social network.
This co-responsibility however, as noted by the Advocate General and shared by the judges, does not necessarily mean an “equal responsibility“, since different subjects carry out different processing operations. Therefore, considering that each operator is involved at different stages and different degrees of the processing, their liability must be evaluated on a case-by-case basis.
Our view on the decision and what might change under the GDPR?
The decision of the ECJ is definitely controversial since even though Facebook page admins get the benefits of applications like Facebook insights, it also true that they do not have access to any of the personal data collected by Facebook (other than aggregated statistics) and have no control on the modalities of processing of personal data performed by Facebook.
Both the GDPR and the EU Directive 95/46 refer to the data controllers as the entity which “determines the purposes and means of the processing of personal data” which can never happen in a scenario like the one applicable to Facebook pages. Also, if the driver of the qualification is given by the benefits that admnis can gain, the same reasoning might apply to any advertisement published on Facebook for which advertisers get only statistical data, which is unlikely to make any sense.
Finally, if the Facebook fan page admin and Facebook are jointly liable, shall they be qualified as joint data controllers under 26 of the GDPR or as autonomous data controllers? The GDPR refers to joint controllers as those that “jointly determine the purposes and means of processing, they shall be joint controllers” requiring an agreement between the parties which will never be an agreement of equals that would actually lead to a determination of the purpsoes of processing by the Facebook fan page admin.
What to do now?