After it had become quiet for several weeks around the Facebook Fanpage problem, now a few things happened within a few days. In its ruling of June 2018, the ECJ found that in addition to Facebook itself, the fan page operators were also responsible for processing the data of fan page visitors. Pursuant to Art. 26 GDPR, those responsible are jointly obliged to reach an agreement in transparent form on who fulfills which obligations under the GDPR (so-called Joint-Controllership-Agreement). The obligations governed by the GDPR include, in particular, the protection of the rights of persons subject to processing, such as the right to information and information within the meaning of Art. 13 to 15 GDPR.
The words followed, however, initially no action, which is why the DSK took on 05.09.2018 for the second time position on the much-discussed “Fanpage” ruling of the ECJ. In the new decision now – in contrast to the rather vague first statement – concrete requirements for Fanpage operator made. In particular, the DSK deals with the agreement on joint responsibility under Art. 26 GDPR. In the absence of such an agreement, the operation of the Facebook fan page is unlawful.
Facebook provides required agreement
The judgment of the European Court of Justice, DSK’s statements and Facebook’s lack of response caused considerable uncertainty among fanpage operators. Now, however, Facebook has responded a few days after DSK’s second decision and provided a document entitled “Page Insights Supplement Regarding the Responsible”. Although the title does not indicate that this is the agreement required by the GDPR, this is not necessary under Art. 26 GDPR, the content of the document is decisive.
The amended terms and conditions set out that the site operators and Facebook are jointly responsible for processing Insights data. Using this data provided by Facebook, site operators can make a statistical evaluation of visitors to their site. The possibility of using this data was the decisive point in the decision of the ECJ to oblige site operators under data protection law.
Primary responsibility for data protection lies with Facebook
For the processing of the Insights data Facebook will take over the primary responsibility. This applies in particular to the data subject rights regulated in Articles 12 to 22 of the GDPR and the data security and notification of data breaches regulated in Art. 32-34 GDPR.
In addition, it is agreed that data controller will be Facebook Ireland (main office of Facebook in the EU). This has gem. As a result of Article 56 GDPR, the Irish data protection authorities throughout Europe will be in charge of all relevant matters. Judicial and litigation will also be Ireland. Requests from national data protection authorities and data subjects must be forwarded to Facebook Ireland within seven days via a form.
What Fanpage operators should consider now
First, the agreement requires the site operators to designate the controller. According to an English note from Facebook, the details of the responsible company and its data protection officer, including their contact details, can be entered in the “About” section via “Edit Page Info”.
Furthermore, site operators must ensure that the processing of the Insights data is based on a legal basis pursuant to Art. 6 para. 1 GDPR. A permit under Art. 6 para. 1 sentence 1 lit. Come DSGVO. This legitimizes the processing of personal data if the processing person has a predominant interest in the processing of the data subject – e.g. Direct mail.
The DSK has further requirements
In addition, it should be noted that the above-mentioned new decision of the DSK in the annex contains a questionnaire, which all site operators (and Facebook) should be able to answer. This goes in part beyond the agreement according to Art. 26 GDPR. For example, the DSK wants answers to questions like:
- For what purposes and on what legal basis are entries made in the so-called local storage at the first call of a fan page even for non-members?
- For what purposes and on what legal basis are a session cookie and three cookies with lifetimes between four months and two years stored after calling a subpage within the fanpage offer?
This is of course information that is not available to the site operator, but only Facebook alone. Again, the social network must move again and provide the required information.
After the uncertainty of the past few months, this agreement of Facebook reduces the risk of operating the fan page enormously, since the existing “loopholes” can be largely closed.
However, the reaction of the German data protection authorities is to be awaited. A final assessment will not be possible until initial court decisions have been taken on this matter.
Kathrin Schürmann, lawyer for the digital business
Kathrin Schürmann is a lawyer and partner at SCHÜRMANN ROSENTHAL DREYER. In addition to copyright and media law, data protection and competition law, Ms. Schürmann specializes in the entire marketing area, especially at the threshold between competition and data protection law. A particular focus of her work is on advising companies in the fields of digital business, technology and the media.