On June 5th, 2018, The Court of Justice of the European Union (CJEU) delivered a decision on the responsibility of those Facebook users who have fan pages.
This decision is very important to those who use fan pages to promote their company or business and it was brought about by a case brought against a German training academy, Wirtschaftsakademie, by The German Data Protection Supervisory Authority for the Schleswig-Holstein Region (GDPSA).
Wirtschaftsakademie had set up a Facebook fan page but neither they, nor Facebook Ireland had notified any visitors to the page regarding the use of cookies or what would be done with their personal data, when liking the page. The GDPSA felt that Wirtschaftsakademie had effectively contributed to the personal data collected by Facebook (data belonging to the visitors to the fan page) and that it was able to profit from the statistics which Facebook provided to it.
The regulator found that Wirtschaftsakademie was a data controller and ordered it to remove the fan page or face a heavy fine.
After some rounds of appeal, it was found that although Wirtschaftsakademie was not responsible for the actual processing of the data by Facebook, they were considered a data controller.
Should you wish to read more detailed information on the descision and the case, it can be found on ActNow’s blog, here.
What does all of this mean for anyone who wishes to run a fan page on Facebook?
Well, let’s run through a couple of definitions first, to get an understanding of the difference between a data controller and a data processor.
Article 4 (7) of the GDPR states:
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
In other words, a data controller decides what data to collect, how to collect it and what will be done with it.
Article 4 (8) of the GDPR states:
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
This means that a data processor does things with the data in accordance with their agreement with the data controller.
In the case above, it was found that by setting up a fan page, Wirtschafstsakademie was entering into a contract with Facebook, thereby agreeing to the conditions of use. This includes the use of cookies.
In setting up the fan page, they were influencing the personal data processing and could also decide which statistics they would receive from Facebook. The statistics could be crafted to provide demographic and data and they could specify the categories of visitors for whom they would get data.
All of the above is decision-making activity, and so Wirtschaftsakademie was found to be a data controller.
For anyone running a fan page, this might seem a bit worrying. Many people who have a fan page are not using it for business purposes and will not profit financially from any statistics provided by Facebook. However, as with anything GDPR related, the key is clarity. If you have a fan page, then the best advice would be to place a notice in clear view, telling visitors that the Facebook page uses cookies to obtain certain personal data and what, if anything, you will use that personal data for.
In an ideal world, Facebook would provide an option for non-commercial fan pages to use anonymous data, so that limited statistics can be produced but none that can be used to personally identify visitors. In reality, that is unlikely to happen.
