In its judgement of 5 June 2018, the EU Court of Justice (“CJEU”) had a clear message for owners of Facebook Fan Pages: because of your choice to use Facebook’s social network for your marketing activities, you are jointly responsible together with Facebook for the processing of personal data of the visitors of your Fan Page.

This judgement has caused a number of companies to decide to shut down their Facebook Fan Pages altogether. Others are struggling to find a pragmatic solution to deal with this new (joint) responsibility.

Background of this case

A German entity offered educational services through a Facebook Fan Page and obtained viewing statistics through Facebook Insights. The Facebook Insights service works as follows: through cookies, Facebook collects personal data concerning visitors of a Fan Page, it then aggregates this information and provides anonymous statistics to the administrator of the Fan Page. Based on this information, the administrator can then also request Facebook to display targeted advertisements.

The German entity did not get any access itself to the personal data of the visitors of its Fan Page, only Facebook did. However, it was found that neither the German entity, nor Facebook, adequately informed the visitors of the Fan Page about the processing of their personal data. The German Data Protection Authority (“DPA”) subsequently ordered the deactivation of the Fan Page, which the Fan Page administrator challenged arguing that it was not a “data controller” and that the DPA could only find that Facebook was not complying with its GDPR obligations. The German courts referred the case to the CJEU for a preliminary ruling.

Court of Justice confirms legal responsibility of Facebook Fan Page owners

The main question referred to the CJEU was whether the account holder of a social media Fan Page also has the legal responsibilities of a data controller, taking into account that it does not receive access to any personal data obtained through the Facebook Insights tool.

The CJEU followed the Advocate General’s opinion and confirmed the view taken by the German DPA:

  • the administrator of a Fan Page hosted on a social network (Facebook), by creating such a page, creates the opportunity to place cookies on the device of a visitor of the Fan Page;
  • as the definition of parameters by the administrator of the Fan Page influences the processing of the personal data (with the filters available on Facebook, the administrator may select the criteria on the basis of which the statistics are made), the administrator contributes to the determination of the purposes and the means of the processing of the personal data; and
  • the fact that the administrator does not have access to these personal data does not prevent it from being a “joint controller” together with Facebook.

“Joint” responsibility is not “equal” responsibility

The CJEU has now made it clear that the fact that an administrator of a Fan Page uses the platform provided by Facebook in order to benefit from the associated services offered by Facebook cannot exempt it from compliance with its GDPR obligations insofar as the processing of personal data via such Fan Page are concerned.

This has already caused a number of companies deleting their Fan Pages, simply because they do not want to share this legal responsibility with Facebook.

On the other hand, the CJEU does leave some breathing room for Fan Page owners, clarifying that the existence of “joint” responsibility does not necessarily imply “equal” responsibility of the various operators involved in the processing of personal data. Those operators may indeed be involved at different stages of that processing activity and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the case.

How to proceed?

How this “case-by-case” assessment will take place in practice is of course still to be seen.

In the meanwhile, Fan Page administrators are placing privacy & cookie notices on their Fan Pages to comply with their transparency obligations as ‘joint controller’ and Facebook has announced a revision of its terms and conditions to accommodate for the joint responsibility scenario.