Does your company have a Facebook fan page?
On June 5, 2018, the European Court of Justice (ECJ) passed an eagerly awaited ruling on the data protection obligations of companies that operate a so-called "Facebook fan page".
The data collected is used both by Facebook to improve their advertising system and by the company itself. In some cases, the data is also passed on to "Facebook partners", e.g. Cambridge Analytica.
A company that operates a Facebook fan page receives certain personal data about the visitors to its fan page via the Facebook Insight function, in the form of anonymous statistics that can be used to optimize the company’s marketing. When setting up the fan page, a company can define filter criteria according to which these statistics are generated, e.g. a visitor’s age, gender, relationship status, professional situation, lifestyle or interests.
In its recent ruling, the ECJ ruled that not only Facebook, but also the company operating the fan page, is legally responsible for data protection. This is remarkable in that the company itself does not actually collect any personal data and the data is collected by Facebook only.
In the view of the ECJ, the company is nevertheless indirectly involved in the processing of the data through the filters selected. This and the creation of a fan page make it possible for Facebook to collect the data in the first place.
This means that both Facebook and the company are considered "controllers" and have a "shared responsibility" towards the visitors to the fan page, although the degree of responsibility and liability can vary depending on the circumstances.
Data protection consequences for fan page operators
What consequences does this have for companies running a fan page on Facebook or in other social media? The answer to this question has not yet been sufficiently clarified, but for the time being, the following rings true:
Risks for companies using Facebook & Co
Conclusion: Without the cooperation of Facebook, the data protection problems appear to be unsolvable. According to a press release by the Saxon Data Protection Officer (www.saechdsb.de), this is also the view of the German data protection authorities. Fan page operators are therefore currently exposed to the risk of fines and claims for damages.
A final word about the Facebook function Custom Audiences, where companies' hashed email addresses are sent to Facebook for comparison and targeted advertising: According to a recent ruling by the Administrative Court of Bayreuth, this requires the consent of those affected.