Yes, we already knew that Facebook is not really a data protection showpiece. However, until now it was at least common understanding that Facebook itself is responsible for what they are doing with our personal data. This has now changed due to a ruling of the CJEU…
Data Protection requirements have to be fulfilled!
The ruling of the CJEU states that the operator of a fan page on Facebook is – jointly with Facebook – responsible for protecting visitors’ personal data. This means that both have a responsibility to inform users about how personal data is processed, obtain consent, if necessary, and conclude contracts with each other to regulate responsibilities. However, as long as Facebook is not providing sufficient information about the collection and processing of user data, it will be very difficult for an operator of a fan page to fulfill all data protection requirements.
The case stems from a dispute between a German fan page on Facebook which used the social network to store cookies on visitors’ hard drives to collect data about them. The competent data protection authority ordered the operator to deactivate the page because of lack of transparency for the user. The company argued that they were not responsible.
“According to the court, the fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data,”
the Court of Justice of the European Union (CJEU) said in a statement about the ruling according to reuters. The CJEU reasoned that a page admin was a joint data controller because it could control how people’s data is used. Via Facebook Insights tool, the operator could ask for information on the demographics, interests and locations of the page’s audience.
“The court finds that an administrator must be regarded as a controller jointly responsible, within the EU, with Facebook Ireland for the processing of that data,”
the court said in a statement.
Results of the ruling
Now, Facebook and other social networks will need to conclude agreements with customers across Europe and also work on their privacy statements.
“We are disappointed by this ruling,”
said a Facebook spokesperson.
“Businesses of all sizes across Europe use internet services like Facebook to reach new customers and grow. While there will be no immediate impact on the people and businesses who use Facebook services, we will work to help our partners understand its implications.”
Data protection authorities satisfied about ruling
“The judgment confirms my view that there must not be gaps in responsibility under data-protection law. This means specifically that all administrators of Facebook Pages have to ensure that they and Facebook conform to their respective obligations under data protection law,”
said Marit Hansen, the Schleswig-Holstein data-protection commissioner, according to zdnet.
“This is particularly important with regard to the information obligations: transparency is required for the processing of data concerning all users, whether they are member of Facebook or non-members.”