Many businesses open a Facebook page to extend their online visibility and drive marketing activities. But the Court of Justice of the European Union has ruled, in a judgment on June 5, 2018, that if you are in such case, you might be held responsible of your visitors’ personal data processing by… Facebook.
How come ?
The data processing at issue is essentially carried out by Facebook placing cookies on the computer or other devices of persons visiting your fan page.
Facebook then processes the information stored in the cookies to enable the page administrator to obtain statistics from the visits to the page and improve targeted advertisement.
The court considered that by creating the Facebook page, the administrator of the page gives Facebook the possibility to place cookies on the computer or other device of a person visiting its page (whether or not that person has a Facebook account) and, when defining the page’s parameters and deciding the categories of persons and personal data to be processed by Facebook, the administrator contributes to the processing of the personal data by Facebook.
By defining the parameters that will target audience, the administrator of the page determines the purposes and means of processing the personal data. The administrator must be seen, says the Court, as a controller of the personal data, jointly with Facebook.
What are the implications in the light of GDPR ?
This case has been ruled based on the “old” Directive 95/46. The Court states that the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data.
However, article 26 of the GDPR states that joint controllers “shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them”.
Following GDPR, Facebook and the administrator of professional page should have an agreement about their respective responsibility, and how they should accordingly update their privacy policy/policies.
But how will be assessed each controller’s level of responsibility? Will only the agreement be taken under consideration, letting Facebook dictate the split of responsibility? Or will Courts be able to determine it with regards to all the relevant circumstances?
Even more importantly, article 26, §3 of GDPR states that “Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers”.
With Court’s judgment, the administrator of a Facebook fan page faces now the risk to see a data subject exercise against him the rights that he/she has on data that the administrator has helped Facebook to collect and process, with the danger, depending on Facebook’s collaboration, to not be able to fulfill such obligation.
What about other services such as Google Analytics, Google AdWords, etc. ?
In the light of the Court’s judgment, helping a third party to collect and process, through cookies, data such as demographic, centres of interest of the target audience, categories of goods and services that appeal the most or geographical data, etc., the question arises whether a website administrator that uses -for example- Google Analytics could now be seen as a joint controller together with Google.
Article 26 of GDPR would then apply, the administrator of the website being now a joint controller of personal data together with Google.
Conclusion: joint controllers agreement and privacy policy update
All similar services to Facebook pages, where a content administrator helps a third party to collect personal data of persons determined via parameters set by the administrator, will now require a joint controllers agreement and a privacy policy update.
It is advisable that the role and responsibilities of each controller would be clearly defined in the agreement and explained in the privacy policies.
(co-author Claude Englebert)