Facebook fan pages can provide valuable communication channels, also for online printers. However, in the future some legal changes might force some website operators to act.
This ruling has caused quite a stir in many companies in the online print industry: In a preliminary ruling, the European Court of Justice ruled that not only Facebook itself but also the operators of Facebook fan sites are responsible for any data protection violations. Does on online printer have to delete all Facebook presence now? In the following article Dr. Martin Schirmbacher, attorney for the Initiative Online Print and specialist lawyer for IT law at HÄRTING Rechtsanwälte, explains in detail the background to the ruling and what might become more common in the future with regard to Facebook fan sites for online printers.
Seven years ago, the Academy of Economics of Schleswig-Holstein, which offers various educational services on Facebook via a fan page group, sued the Independent Centre for Data Protection Schleswig-Holstein (ULD) after the latter ordered the Academy’s fan page to be deactivated. The reason given was that neither the Academy of Economics nor Facebook informed the fan page users of the collection and processing of personal data using cookies. However, the plaintiff was of the opinion that the processing of personal data by Facebook could not be attributed to the them.
The dispute continued through the Higher Administrative Court in Schleswig to the Federal Administrative Court, which in turn appealed to the European Court of Justice (ECJ) at the beginning of 2016 to answer several questions concerning the EU Data Protection Directive then applicable. The most important preliminary question that was raised concerns the responsibility of fan page operators. The court wanted to know whether companies that set up a fan page on Facebook should be regarded as operators of the page from the point of view of data protection law. This would mean that in the event of a data protection violation, not only Facebook but also the company operating the page could be held liable. From the point of view of liability law, liability is immediately obvious. After all, the company is free to decide on the content of the site. On the other hand, it has no influence on the data collected by Facebook on Facebook in general and on the Facebook page in particular. The companies operating the pages are not even aware of which data is collected for which purposes on the fan pages. As a company, you can only access aggregated data that does not allow any conclusions to be drawn about specific users.
However, the European Court of Justice’s answer to the first question, at least, is not likely to be in the interest of most online printers: As well as Facebook, the operator of a Facebook fan page is also responsible for data processing!
The ECJ justified this by the fact that although Facebook ultimately provides the fan page, the operator can use various filtering options to determine which personal data of visitors to its fan page should be collected and processed. This participation “in deciding on the purposes and means of processing the personal data of visitors to its fan page” is sufficient to accept shared responsibility, even if the operator has no independent access to this data. It is the protection of users that is decisive: only through joint responsibility on the part of social networks and fan page operators can the protection of the rights of those affected, as required by the data protection directive at the time, be guaranteed more comprehensively. Contrary to what the supervisory authority initially claimed, however, there is also no commissioned data processing by Facebook. The company is not solely responsible, but rather the European Court of Justice sees the main responsibility clearly with the operator of the social network. The ECJ makes it perfectly clear that the existence of shared responsibility does not necessarily mean that those concerned are equally responsible. Rather, the degree of responsibility must be decided on a case-by-case basis, taking into account all relevant circumstances. The main responsibility will therefore probably be Facebook in most cases. The judgement is based on the old EU data protection law. As is well known, this has been history since May 2018 and has been replaced by the much discussed (and cursed) General Data Protection Regulation. There is a lot to suggest that the ECJ, which probably did not take the decision after the deadline of 25 May 2018 by chance, would have made the same decision under the GDPR.
In another question, the Federal Administrative Court asked the ECJ whether the ULD could also have filed a direct complaint against Facebook. Consequently, the court found here that the ULD would also have been authorised to take direct action against Facebook. It is irrelevant that Facebook is based outside the European Union and data processing is not the responsibility of the subsidiary Facebook Germany but Facebook Ireland according to the group’s distribution of functions.
What has to be done now?
The first commotion has died down. Online printers continue to run fan pages and that is indeed a good thing. The immediate consequences are:
1. Fan pages do not have to be deactivated immediately!
The ECJ has not ruled whether fan pages are against the law, but merely established the shared responsibility of operators and Facebook. The Federal Administrative Court will decide on a possible violation of the law. It is conceivable that the court will once again refer the dispute back to Schleswig – and then have to decide on the basis of the GDPR. The end is not yet in sight.
Therefore you do not have to take your fan pages offline immediately. It has not yet been established by the courts that operating a fan page from a German (better: EU) perspective is illegal. We do not expect many complaints to be filed now before the proceedings are over. However, it certainly makes sense to keep an eye on the further course of the trial.
3. Draw up a shared responsibility agreement!
While the first two points are comparatively easy to fulfil, an important point remains open: According to Art. 26(2) GDPR, jointly responsible parties are obliged to define which of them fulfils which obligation under the GDPR in an agreement. Such a joint controller agreement must therefore specify who is responsible for data privacy information and for responding to requests for information, for instance.
Following the ruling, it was suspected that Facebook would now propose entering into such agreements relatively quickly to fan page operators. But so far there is nothing concrete from Facebook on this. So all that remains is: wait and see.
The direct consequences of the ruling are comparatively simple, although not easy to implement. The longer-term, more general consequences will be considerably more serious: Not every service provider or partner who processes any data is a contracted processor. This has always been the case, but now it has a whole new dimension of publicness. My prognosis: In the future, one or the other online printer will have to deal with shared responsibility much more frequently.
PS: Martin Schirmbacher also offers seminars on data privacy law in online marketing which will keep you up to date.