In its June 5, 2018 judgement, the Court of Justice of the European Union ruled that operators of Facebook fan pages are jointly responsible with Facebook under data protection law for processing personal data of visitors to the fan pages (see our article), alarming a great number of companies. In September 2018, when the Data Protection Conference subsequently published a resolution virtually stating that Facebook fan pages could not be lawfully operated without a corresponding agreement, many companies actually shut down their fan pages. When Facebook responded a short time later by making a Page Controller Addendum available, many fan page operators breathed a sigh of relief and considered the problem solved.

Since November 15, 2018, however, the Berlin Commissioner for Data Protection and Freedom of Information has been sending out hearing letters asking 15 questions about data protection co-responsibility on Facebook fan pages. These are requiring many more details than the questions posed by the Data Protection Conference in its September resolution. Companies may find it difficult to respond to the questions without the assistance of Facebook. These questions alone show that the Berlin-based regulator continues to have doubts about the lawfulness of operating fan pages. A parallel press release also states:

“The Berlin Commissioner for Data Protection and Freedom of Information doubts, however, that the information that Facebook has provided to date – including in connection with the published addendum – is sufficient to account for the lawfulness of processing the data of visitors to the fan pages.”

But what are companies to do now?

Practical advice:

First of all, fan page operators should not panic. The agreement of the Page Insights Controller Addendum by accepting the Terms of Service – in the end, simply continued operation of the fan page – represents an initial step towards meeting the requirements of the Data Protection Conference. In addition, a reference to operation of the fan page, the joint responsibility, and an outline of the agreement must be included in the company’s Privacy Policy. Although Facebook has undertaken in the Addendum to make an outline available to users, as long as this is not yet the case, fan page operators should take appropriate security precautions. Moreover, fan page operators must provide a legal basis for their own data processing. As a rule, this should be the operator’s legitimate interest in marketing and assessing marketing activities. Finally, companies should deal with the questions of the Data Protection Conference and of the Berlin-based regulator and be able to respond to them in case of doubt.

Although these measures cannot guarantee full protection, either, no hasty action should be taken until the Federal Administrative Court has issued a final judgement.