Fan pages or company profiles on Facebook are a popular communication channel. However, there are still some data protection problems. In a ruling of 5 June 2018, the Court of Justice of the European Union (CJEU) tied the operation of a Facebook fan page to such strict requirements that a data protection-compliant operation is de facto impossible.
A statement of the Data Protection Conference (DSK), a collection of German data protection supervisory authorities, published in March 2022 takes up the issue of fan pages once again. This time taking into account the German Telecommunications Telemedia Data Protection Act (TTDSG) introduced in December 2021, in order to provide more clarity about current legal compliance.
Fanpages and the problem of joint responsibility
According to the CJEU, the use of the tracking function provided by Facebook is particularly problematic for the data protection-compliant design of fan pages. The court considered the “Insights” function to be a joint responsibility in terms of data protection law due to the relationship between the fan page operator and Facebook.
Both Facebook and the companies that operate a fan page have great interest in being able to evaluate these page statistics in order to achieve higher sales on the one hand and to place targeted advertising on the other.
Since both the operators and Facebook process the data in their own interest and jointly determine the means and purposes of the processing, the requirements of Art. 26 of the General Data Protection Regulation (GDPR) are met.
Requirements for data processing in case of joint responsibility
Thus, companies and Facebook must adhere to the regulations of Art. 26 GDPR when operating fan pages. First of all, an agreement must be concluded between the two controllers that stipulates the following:
- Fulfilment of obligations by the respective controller, including in particular the fulfilment of information obligations (data protection notices/privacy policies) and data subject rights (answering e.g. access requests);
- If necessary, designate a contact point for affected persons; and
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
Facebook has made provisions for all of the above-mentioned obligations and, in its opinion, has found a solution that should spare the fan page operator any action. However, the DSK’s opinion of 1 April 2019 already revealed further serious violations of Art. 26 of the GDPR. Some of the main points of criticism were, amongst others, that fan page operators were not granted decision-making power over the processing of fan page user data by Facebook and that they, as data controllers, also had no legal basis of their own for processing fan page user data. Although the obligations granted by Facebook in the amendment were a step in the right direction and fulfil some of the requirements of Art. 26 of the GDPR, there is still a risk of a fine being imposed pursuant to Art. 83 (4) and (5) of the GDPR.
Brief report of the DSK Task Force
In order to deal with the issue of Facebook fan pages in particular and to examine them in more detail, a task force was set up by the German Data Protection Conference (DSK). In a further expert opinion of 18 March 2022, this task force once again dealt with the problem of legally compliant operation of Facebook fan pages.
The expert opinion refers in particular to the storage of information in the end devices of the users and to the access to information that is already stored in the end devices. The expert opinion also explicitly addresses fan pages of public bodies. Due to the joint controllership, the operators of a fan page must be able to prove a corresponding legal basis.
In the opinion of the DSK, neither lawful processing by consent pursuant to Art. 6 (1) (a) of the GDPR nor by legitimate interest pursuant to Art. 6 (1) (f) of the GDPR can be considered, especially in the case of public bodies in the context of their public interest work, given the unclear scope of the processing and the lack of information. Processing for a task in the public interest pursuant to Art. 6 (1) (e) of the GDPR is also ruled out, as this legal basis can only be applied to the extent that the data are actually processed for purposes in the public interest.
However, since insights are intended to create advertising profiles, this does not fall under the category of public interest. Art. 6 (1) (e) GDPR is therefore not a suitable legal basis.
Furthermore, in the opinion of the DSK, it is not sufficient to refer to the information on Facebook’s insight tool in order to fulfil the duty to inform data subjects about the joint responsibility agreement with Facebook.
Due to a lack of information about the processing of personal data in connection with the use of Insights, consent pursuant to Art. 6 (1) (a) GDPR cannot stand as an effective legal basis.
Data protection assessment and risk minimisation for Facebook fan pages
Due to the points discussed above, the operation of Facebook fan pages by both public and private bodies is not in compliance with the GDPR. With regard to the exemplary function of public bodies, it is precisely these that should deactivate their fan pages if they cannot comply with the transparency obligation pursuant to Art. 26 (2) of the GDPR.
Private companies that use such fan pages and do not want to do without them should at least consider the following points in order to minimise their risk:
- Install an opt-in banner on your website, which asks for consent for tracking on your Facebook fan page and access to the information already stored in the users’ end device. This way you can at least create a legal basis for some users tracked by Insights.
- Inform about the essence of the supplementary agreement with Facebook in the privacy notices of your website. The notices should contain at least the following information:
- Data subject rights can be asserted with Facebook Ireland as well as with you,
- The primary responsibility under the GDPR for the processing of Insights data lies with Facebook and Facebook must comply with all obligations under the GDPR with regard to the processing of Insights data,
- Facebook Ireland provides the essence of the Page Insights Supplement to data subjects,
- You as the operator do not make any decisions regarding the processing of Insights data and all other information resulting from Art. 13 GDPR, including legal basis, identity of the controller and storage period of cookies on user end devices.
- Place a link of your supplemented data protection notice in the info area of the fan page on Facebook.
- Submit requests from data subjects and supervisory authorities to Facebook under this form as agreed.
- Also check your other platforms that offer user evaluations and tracking. The considerations and findings of this article also apply there.
- For Germany: Meet your legal notice obligation according to § 5 TMG within the scope of your Facebook fan page.
- For Germany: Obtain consent in accordance with § 25 TTDSG in order to obtain a suitable legal basis for data protection compliant access to the end device of the visitor to the Fanpage.
Conclusion: Facebook fan pages are not GDPR-compliant
The main problem with Facebook company profiles continues to be the lack of a suitable legal basis for data processing. Therefore, companies should if possible refrain from having such a fan page, otherwise there is the risk of a warning from the supervisory authorities, amongst other penalties. It can lead to enormous fines.
Data protection challenges in relation to Facebook fan pages are also to be expected in the future. Facebook enjoys a special level of attention from data protection authorities and courts. Therefore, you should keep an eye on developments in this situation.