Three months ago, the CJEU (the “Court”) held that operators of Facebook Pages are jointly responsible for the data processing operations of Facebook of the visitors to its Fan Page -the key points of the case was previously discussed here. However, until today, many organisations have not closed their Facebook Fan Pages. The following aims to explore the state of affairs, to understand why and give a clear overview of what can be done.
Useful? Embed this infographic on your website.
THE AIM OF THE JUDGEMENT
Clearly, declaring the Administrator and the social network joint controllers, sharing the responsibility for the processing of the personal data* aimed to make the operators assume its obligations and ensure more complete protection of the rights of persons visiting their Fan Pages.
*not necessarily mean that the responsibility is distributed equally.
The Court didn’t give any hint to organisations about how to effectively control and assume its obligations without Facebook cooperation. Let me explain, as it is illustrated in the referred case, Facebook determines the terms for the data processing of the fan page visitor’s of Wirtschaftsakademie; hence, the organisation does not really have the power to set their own cookie notice; or decline the Facebook Insights, or execute a co-controller agreement without the cooperation of the social network.
THE STEPS TAKEN
So far, on the 8 of June 2018, the Supervisory Authority for the Land of Schleswig-Holstein announced that the operators of a Fan Page must ensure compliance with the data protection rules; in particular, transparency, lawful basis (consent for tracking mechanisms), and data controllers obligations (co-controller agreement). Emphasising to the Administrators their duty to maintain only privacy-compliant pages.
On the 19 of June 2018, Facebook declared that it will take the steps necessary to enable Fan Page Administrators to satisfy their legal obligations under a joint data controller scenario; however, after that, no further update has come through; thus, no solution has been given.
At the moment, there is only one 100% safe way to proceed for businesses; to close their Facebook Fan Pages, and to consider doing the same with pages hosted in other social networks which are not operating in compliance with the law.
However, the above, from a business point of view, is a hard decision to make. It is undisputable the power of social media to reach people (potential clients), increase exposure (marketing) and generate rewards (revenues). I guess that’s why three months later after the CJEU’s ruling, neither Wirtschaftsakademie or the Supervisory Authority for the Land of Schleswig-Holstein (the “SA”) have closed their Facebook pages.
BACKS AGAINST THE WALL
Due to the ruling, businesses, in general, should be pushing Facebook to upgrade their terms and ensure compliance with the data protection laws; otherwise, closing their page and leaving the social network. However, so far this is not happening.
On the contrary, organisations are taking compliance risks but not closing their pages; which results in weakening their bargain position and place them into a “take it or leave it” situation where the social media giant has the upper hand.
WHAT CAN BE DONE?
- Demand Facebook to provide products and services in line with the relevant data protection laws, put more pressure on this social network to change its terms, and set an example for other social networks to follow the same path.
- Check again the cost of non-compliance:
(i) The ruling does not apply only to German companies; it would have to be taken into account by all member states when interpreting EU law in similar issues;
(ii) Regardless that the responsibility of the data controllers may be different and hence affect the degree of liability, the data subjects can hold your organisation accountable for the entire damage;
(iii) As it is, the processing of personal data when using a Facebook Fan Page, among others, breach the principles of processing and data subjects rights, both sanctioned with the higher fine, 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
(iv) Corrective Measures can be instructed by the Supervisory Authority such as closing the Fan Page. Therefore, an organisation taking the risk to keep its page open can end up with a fine and forced to close the page anyway.
Do you still have questions about the use of third-party providers and platforms? Do not hesitate to reach out.
Latest posts by Jessica Lam (see all)
- How to protect your personal data? - March 4, 2019
- Why does your personal data need to be protected? - February 25, 2019
- Enforcement of judgement: Update CJEU Case C 210/16 - September 7, 2018