Administrators of Facebook fan pages are liable under GDPR
Administrators of Facebook fan pages are “jointly responsible” with Facebook for data processing, according to a landmark decision by the Court of Justice of the European Union.
On 5 June 2018, the CJEU ruled that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data of visitors to the page.
This decision of the Court of Justice of the EU came about following a preliminary ruling from the Federal Administrative Court, Germany and could have serious implications for individuals who are the administrators of social media pages across the internet.
The facts of the case are fairly simple.
W is an organisation offering educational services by means of a fan page hosted on Facebook.
On 3 November 2011, a German data protection authority, the ULD, ordered W to deactivate the fan page it had set up on Facebook at the address www.facebook.com/wirtschaftsakademie or risk a hefty fine. The reason for the order was that neither W nor Facebook informed visitors to the fan page that Facebook, by means of cookies, collected personal data concerning them and then processed the data.
Fan pages are user accounts that can be set up on Facebook by individuals or businesses. To do so, the administrator of the fan page, after registering with Facebook, can use the platform designed by Facebook to introduce himself to Facebook users and visitors and to post any communications to them.
Administrators of fan pages of Facebook can obtain anonymous statistical information on visitors to the fan pages via a free tool called ‘Facebook Insights’ which is provided by Facebook. That information about the visitors to the fan page is collected by ‘cookies’, each containing a unique user code, which are active for two years and are stored by Facebook on the hard disk of the computer or on other media of visitors to fan pages.
The user code, which can be matched with the connection data of users registered on Facebook, is collected and processed when the fan pages are opened.
The case came to the European after a number of appeals and counter appeals with W claiming that it was not responsible for the processing data of Facebook users and visitors.
While the mere fact of making use of a social network such as Facebook does not make a Facebook user a controller jointly responsible for the processing of personal data by Facebook, the court concluded that the position of an administrator of a fan page is different because by creating such a page, the administrator gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account. Facebook contract with page administrators make this position clear.
The Facebook fan page administrator, with the help of tools provided within the Facebook platform, is able to define the criteria of Facebook users and visitors who might visit the page and even designate the categories of persons whose personal data is to be made use of by Facebook. Consequently, the administrator of a fan page hosted on Facebook contributes to the processing of the personal data of visitors to its page.
For example, the administrator of the fan Facebook page can ask for the processing of demographic data relating to its target audience, including trends in terms of age, sex, relationship and occupation, information on the lifestyles and centres of interest of the target audience and information on the purchases and online purchasing habits of visitors to its page, the categories of goods and services that appeal the most, and geographical data which tell the fan page administrator where to make special offers and where to organise events, and more generally enable it to target best the information it offers.
While the audience statistics compiled by Facebook are anonymised by Facebook before they are given to the fan page administrator, it remains the case that the production of those statistics is based on the prior collection, by means of cookies installed by Facebook on the computers or other devices of visitors to that page, and the processing of the personal data of those visitors for such statistical purposes.
Therefore, the administrator of a fan page hosted on Facebook, such as W is regarded as taking part, by its definition of parameters depending in particular on its target audience and the objectives of managing and promoting its activities, in the determination of the purposes and means of processing the personal data of the visitors to its fan page. The administrator must therefore be categorised as a data controller jointly with Facebook.
The two controllers may have different responsibilities as each may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.