Court decides Facebook Page admins are liable under GDPR
The question as to whether Facebook Group administrators are liable to users of their Pages under GDPR has been considered by the European Court, who decided that an administrator of a fan page on Facebook is jointly responsible, together with Facebook for processing data of users of the Facebook Fan Page. This decision has raised questions about the liability of users on other social media networks regarding the comments made on their posts by other users.
The question as to whether Facebook Group administrators are to be deemed liable to users of their Pages under GDPR was considered by the European Court which decided that an administrator of a fan page on Facebook is jointly responsible, together with Facebook for processing data of visitors to the Facebook Fan Page. The decision raised questions about the liability of users of other social networks to comments made to their post by other users.
On 5 June 2018, the Court of Justice of the European Union (CJEU) ruled that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data for visitors to the Page. This case was decided following a preliminary ruling from the Federal Administrative Court in Germany and could have serious implications for anyone who starts and operates a Facebook Page as an administrator.
The decision also raises the question as to whether a co-administrator or someone who has some administrative rights over a Facebook Page can be held jointly liable under GDPR. The case involved an organisation which offers educational services by means of a Fan Page hosted on Facebook.
On 3 November 2011, a German data protection authority, the ULD, ordered an organisation to deactivate the fan page it had set up on Facebook at the address www.facebook.com/wirtschaftsakademie or risk a hefty fine.
The reason for the order was that neither the organisation nor Facebook informed visitors to the fan page that Facebook, by means of cookies, collected personal data concerning them and then processed the data. The case came to the European Court after numerous appeals and counter appeals by the organisation who denied that it was responsible for the processing of the data of Facebook. The organisation said that it was all the doings of Facebook and that it was Facebook’s responsibility to handle those matters concerning the processing of third party data on its platform.
A Facebook Fan Page is a business account that represents a company or organization. It looks similar to a Facebook Profile, but it offers unique tools for managing and tracking engagement. Fan pages are user accounts that can be set up on Facebook by individuals or businesses. To do so, the administrator of the Fan page, after registering with Facebook, can use the platform designed by Facebook to introduce himself to Facebook users and visitors and to post any communications to them.
Facebook stores cookies in in its data centres but some of the cookies are stored locally on the Facebook users’ own computer or mobile device. Each Facebook visitor is assigned a unique code. The code is then matched with the connection data of that individual. The data is then collected, collated, and sorted by Facebook. Each time a new Facebook Fan Page is opened, Facebook, through various cookies, collects data about the visitors to the page. Visitors are often unaware of the extent to which such data by Facebook is collected.
The court said that the liability under GDPR is not extended to every Facebook user. It was only extended to those who create Facebook Pages. The liability of the individual or organisation who create Facebook Pages is a joint liability, together with Facebook.
The court concluded that the position of an administrator of a Fan Page is different because by creating a Fan Page, the administrator gives Facebook permission to place cookies on the computer or other device of each individual who visit the Fan Page, whether or not that person has a Facebook account. The terms and conditions which are agreed to by each Facebook user who creates a Facebook Page makes this position clear.
The administrator of a Facebook Fan Page takes can take advantage if the cookies and of the tools that Facebook provide to define the criteria of Facebook users and visitors who might visit the Page and even designate the categories of persons whose personal data is to be made use of by Facebook. Consequently, the administrator of a Fan Page hosted on Facebook contributes to the processing of the personal data of visitors to its page.
The type of control that an administrator of a Facebook Page has in relation to data processing include request from Facebook to consider demographic data relating to its target audience, sensitive personal data such as users’ age, sex, relationship and occupation, information on the lifestyles and centres of interest of the target audience and information on the purchases and online purchasing habits of visitors to its page, the categories of goods and services that appeal the most, and geographical data which tell the Facebook Fan page administrator where to make special offers and where to organise events, and more generally enable it to target best the information it offers. While the audience statistics compiled by Facebook are anonymised by Facebook before they are given to the administrator of the Fan Page, creating and producing this type of statistics involved the prior collection, by means of cookies, and the processing of the personal data of those visitors for such statistical purposes.
It follows that the administrator of a Facebook Fan Page is taking an active part in deciding what data is going to be collected by Facebook on their behalf. They then make use of the data to create promotions, sales activities and to help them decide on the particular content that might be promoted to visitors of the Fan Page. The administrator therefore takes part in processing users’ data and as such, can be considered a data controller jointly with Facebook. The two controllers may have different responsibilities as each may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.