Three months ago, the CJEU (the “Court”) held that operators of Facebook Fan pages (Administrators of Fan pages) are jointly responsible for the data processing operations of Facebook of the visitors of those pages -the key points of the case was previously discussed here. However, until today, many organisations have not closed their Fan Pages.
The following aims to explore the state of affairs, to understand why and give a clear overview of what can be done.
Useful? Embed this infographic on your website.
Clearly, declaring the Administrator and the social network, joint controllers, sharing the responsibility for the processing of the personal data* aimed to make the operators assume its obligations and ensure more complete protection of the rights of persons visiting their Fan Pages.
*not necessarily mean that the responsibility is distributed equally.
The Court didn’t give any hint to organisations about how to effectively control and assume its obligations without Facebook cooperation. Let me explain, in the case, Facebook determines the terms for the data processing of the fan page visitor’s of Wirtschaftsakademie; hence, the organisation does not really have the power to set their own cookie notice; or decline the Facebook Insights, or execute a co-controller agreement without the cooperation of the social network.
The Steps Taken
So far, the Supervisory Authority for the Land of Schleswig-Holstein announced that the operators of a Fan Page must ensure compliance with the data protection rules; in particular, transparency, lawful basis (consent for tracking mechanisms), and data controllers obligations (co-controller agreement). Emphasising to the Administrators their duty to maintain only privacy-compliant pages.
And, Facebook declared that it will take the steps necessary to enable Fan Page Administrators to satisfy their legal obligations under a joint data controller scenario; however, after that, no further update has come through; thus, no solution has been given.
At the moment, the only solution is to close Facebook Fan Pages and to consider doing the same with pages hosted in other social networks which are not operating in compliance with the law.
However, the above, from a business point of view, is a hard decision to make. It is undisputable the power of social media to reach people (potential clients), increase exposure (marketing) and generate rewards (revenues). I guess that’s why three months later after the CJEU’s ruling, neither Wirtschaftsakademie or the Supervisory Authority for the Land of Schleswig-Holstein (the “SA”) have closed their Facebook pages.
Backs against the Wall
Due to the ruling, businesses, in general, should be pushing Facebook to upgrade their terms and ensure compliance with the data protection laws; otherwise, closing their page and leaving the social network; but, so far this is not happening.
In general, companies are taking the risk and no closing their pages. Leaving Facebook in the great position of “take it or leave”.
Review the Cost
- The ruling does not only apply to German companies; it has to be taken into account by all member states when interpreting EU law in similar issues.
- Regardless that the responsibility of the data controllers may be different and hence affect the degree of liability, the data subjects can hold both organisations (Facebook and you) accountable for the entire damage.
- As it is, the processing of personal data when using a Facebook Fan Page, among others, breach the principles of processing and data subjects rights, both sanctioned with the higher fine, 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
- Corrective Measures can be instructed by the Supervisory Authority such as closing the Fan Page. Therefore, an organisation taking the risk to keep its page open can end up with a fine and forced to close the page anyway.
Latest posts by Jessica Lam (see all)
- How to protect your personal data? - March 4, 2019
- Enforcement of judgement: Update CJEU Case C 210/16 - September 7, 2018
- Data Protection and Marketing - August 7, 2018