Privacy on Facebook fanpages

The flurry of privacy policies affecting the Facbeook fan pages has left a lot of uncertainty. The Berlin Data Protection Supervisor rekindled the debate in November when she published a questionnaire designed to test whether companies running a fan page lawfully process the data collected there.

Lawyer Franziska Ladiges answers LEAD questions about the current legal situation and explains how companies can make their fanpages compliant with data protection. Ladiges is counsel in the field of IT law & digital business of the law firm SKW Schwarz Rechtsanwälte in Frankfurt am Main.

Can you briefly describe the current legal situation regarding Facebook fan pages?

Facebook has been under strict data protection law for years. In June 2018, the European Court of Justice (ECJ) ruled that operators of Facebook fanpages in the EU together with Facebook Ireland should be considered as data controllers.


This means that the person who runs a page on Facebook, also adheres to privacy violations and thus the so-called privacy compliance itself.

I would also like to point out that the ECJ has indeed decided on the legal situation before the DSGVO. However, the DSGVO also knows the joint processing of several responsible persons, so that the decision can easily be transferred to the current legal situation.

Also interesting: Facebook verdict: Supplementary agreement for Fanpage operator

What does the decision of the data protection officer for the fanpages mean?

In September 2018, the Data Protection Conference (DSK) agreed with the ECJ’s view. She declared the operation of fan pages on Facebook unlawful, unless a corresponding agreement for joint processing is closed and the users are informed transparently. In addition, the DSK published a questionnaire, which both operators of the fan page and Facebook should be able to answer.

In November 2018, the Berlin Commissioner for Data Protection and Information Security substantiated the questions submitted by the DSK. As part of a hearing process, the representative sent the questions to Fanpages operators.

Fanpage operators can not answer these questions, it is obvious that the fan page is at least partially unlawful. However, an operator will not be able to answer the questions without the help of Facebook.

Finally, the Privacy Conference requires that the tracking of the social media platform requires the consent of visitors. This is highly controversial; Others argue that tracking can also be based on the legitimate interest of the operators, at least insofar as it is pseudonymised. This point is not decided by the highest court.

What do I have to do to ensure that my site is compliant with data protection?

Facebook has made the agreement required by the data protection conference under Article 26 GDPR still available in September. This is part of the Terms of Use, so fanpage operators automatically agree to the agreement if they continue to use their site.

However, operators should clearly inform visitors to their website and fanpage about the data processing (which data is processed and for what purpose by whom?) And the joint responsibility. In that regard, they must adapt their privacy policy accordingly.

Particular attention should be paid to those visitors who are not yet members of the corresponding social media channel. The fanpage operator must be able to guarantee the lawfulness of the data processing and be able to prove this. The persons concerned must also be able to see to whom they can assert their rights under the GDPR.

To be on the safe side, operators who use tracking tools would also have to obtain the consent of the visitors. However, as already explained, this requirement is highly controversial.

What happens if I do not stick to it?

Violations of data protection regulations can lead to warnings by users or competitors, which are associated with costs.

In addition, the competent supervisory authority may demand the immediate closure of the fan page and impose fines under the GDPR. However, it also depends on the degree of responsibility in each case.

According to the ECJ, the first contact person for the correct design of data protection is still Facebook. To what extent German regulators stick to this interpretation remains to be seen.

How likely is a warning?

Warnings are from our point of view at the present time not very likely. First, there are judgments that breaches of data protection legislation are not remunerative, because these rules are not primarily designed to protect competition but to protect individual privacy.

On the other hand, the legal position on Fanpages up to the decision of the Federal Administrative Court – on whose questions the ECJ had decided – has not been finally clarified. Therefore, it is not even clear that there is an infringement.

In your opinion, how great is the danger that the regulations will also affect other platforms?

Although the decision of the ECJ in this specific case only refers to Facebook. However, the principles apply to all social media platforms and services, no matter what the service is called.

Also interesting: Stop the Curiosity Network! Ten tips against tracking

Teaserbild New

Minimal online or technical enthusiast?

Tinder replaces the bar, Alexa the secretary. The digital world has long since become one with the real world. But everyone does not want to believe reality. How confidently do you move in networked life?

Do the test here

Leave a Reply

Your email address will not be published. Required fields are marked *