In its June 5, 2018 judgement, the Court of Justice of the European Union ruled that operators of Facebook fan pages are jointly responsible with Facebook under data protection law for processing personal data of visitors to the fan pages (see our article), alarming a great number of companies. In September 2018, when the Data Protection Conference subsequently published a resolution virtually stating that Facebook fan pages could not be lawfully operated without a corresponding agreement, many companies actually shut down their fan pages. When Facebook responded a short time later by making a Page Controller Addendum available, many fan page operators breathed a sigh of relief and considered the problem solved.
Since November 15, 2018, however, the Berlin Commissioner for Data Protection and Freedom of Information has been sending out hearing letters asking 15 questions about data protection co-responsibility on Facebook fan pages. These are requiring many more details than the questions posed by the Data Protection Conference in its September resolution. Companies may find it difficult to respond to the questions without the assistance of Facebook. These questions alone show that the Berlin-based regulator continues to have doubts about the lawfulness of operating fan pages. A parallel press release also states:
“The Berlin Commissioner for Data Protection and Freedom of Information doubts, however, that the information that Facebook has provided to date – including in connection with the published addendum – is sufficient to account for the lawfulness of processing the data of visitors to the fan pages.”
But what are companies to do now?
Although these measures cannot guarantee full protection, either, no hasty action should be taken until the Federal Administrative Court has issued a final judgement.