Facebook fan page administrators are joint controller together with Facebook

Facebook fan page administrators are joint controller together with Facebook
zapierhelper

In June 2018, the Court of Justice of the European Union (CJEU) ruled that companies and people who are administrator of a Facebook fan page are also responsible for the protection of the personal data on those pages, together with Facebook. The ruling of the CJEU concerns a question raised at a time when the GDPR had not yet entered into force. The decision itself however happened after the 25th of May. Although based upon the provision Directive 95/46/EC, the judgement of the Court also refers to the GDPR.

Background

On the 3th of November in 2011, a local supervisory authority in Germany ruled that the Facebook fan page of a private educational establishment (Wirtschaftsakademie Schleswig-Holstein) had to be deactivated. Their argumentation was that neither Facebook, nor Wirtschaftsakademie itself had informed the visitors of the page of the fact that Facebook was collecting and processing their personal data.

Wirtschaftsakademie argued that this ruling was unjust in the sense that the supervisory authority should have acted against Facebook instead of them. In relation to this, the CJEU was asked for their interpretation in light of the Directive 95/46/EC.

The decision of the CJEU

The CJEU emphasizes that the fact that Facebook is controller is not part of the discussion, because Facebook primarily determines the purposes and means of the processing of the personal data. However, the administrators of the page are also controllers because they partly determine the purposes and means of the processing of the personal data of the visitors.

The reasoning behind this is that administrators create the possibility for Facebook to place cookies on the computer or any other device that belongs to the visitors of the fan page, regardless of whether this person has a Facebook account. Also, administrators can define certain settings when creating the fan page. By doing this, the administrators can control how the data of the visitors is used and can thus contribute to the processing of the data by Facebook.

More specifically the administrators have the possibility to ask for (anonymized) demographic data through the Insides-functions of Facebook. They can do this in order to better adapt the information they offer on the fan page. This data is stored on the administrator’s computer.

By recognizing this joint controllership, the CJEU wants to ensure maximum protection of the visitor’s rights as data subjects.

I am an administrator of a Facebook fan page: what does this mean for me?

This ruling is relevant for every association or organization, ranging from a sports club to a multinational company that has a Facebook page. Although the decision confirms the joint controllership, it also states that this doesn’t necessarily mean that the responsibility is equally divided between Facebook and the administrator. To determine the level of responsibility, all relevant circumstances have to be taken into account. If you receive complaints as an administrator concerning personal data in connection to your fan page, it might as well be that Facebook is still responsible.

To understand this better, one could consider his Facebook fan page as one’s own website, built within the platform Facebook offers. You cannot simply pass the responsibility of dealing with privacy on to Facebook. More specifically the obligation to inform plays a role here, transparency is key. Try to be as clear as possible about the means and purposes that you manage, for example if you use certain settings to adjust the content you put on the page. Of course, one could also think about whether it is necessary to have a Facebook fan page, but when you decide to do so, you need to accept the responsibilities in relation to privacy that come with it.

Although you can take these small measures, it is Facebook that should be informing the administrators about what Facebook does and about what the administrators have to do. They could easily add this to ‘Facebook Pages Manager’, the app to manage your Facebook page (Apple or Android). It is strongly recommended that Facebook takes a stand on this issue, to facilitate the administrators of more than 60 million Facebook pages.