Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsCJEU: Facebook Page Owner is Joint Controller
Less than two weeks after GDPR Day, the Court of Justice of the European Union has just extended compliance obligations in a way that many weren’t expecting. Page admins on Facebook are responsible if Facebook infringes on the data privacy rights of users, according to a ruling from Europe’s top court this morning.
This decision could be a landmark one establishing the privacy liability of companies with social media accounts for the failures of the social media platforms with respect to the General Data Protection Regulation (“GDPR”). Because nearly every company has a Facebook fan page and Facebook has been in the news again and again for issues with its data sharing and privacy disclosures, it poses a potentially massive compliance risk for companies with pages. In light of the ongoing concerns about data privacy issues at social media companies in general, companies now need to evaluate the data collection and sharing of every social media platform that they use from Facebook to Pinterest to Youtube.
The case involved a German education company that was ordered in 2011 by a data protection authority to deactive its Facebook page because neither it nor Facebook told visitors that Facebook was collecting personal data about them. The CJEU upheld the conclusion that the page admin has obligations to disclose data collection by Facebook even if it did not tell Facebook to collect the data.
The court concluded that Facebook and the page admin are joint controllers under the law that preceeded the recently implemented GDPR. There is no reason to think that this interpretation will not apply the same under GDPR.
In the case of a Facebook page admin, the court concluded:
– The page admin created the page which gave Facebook the opportunity to place cookies on the devices of a person visiting the fan page.
– Facebook made available certain anonymous insights about the fan pages audience to the page admin, and provided admins the ability to retrieve demographic data about its target audience. Even though the fan page admin did not collect this data, its ability to request the data made it jointly responsible for processing.
– The use of a platform provided by another company does not exempt it from its compliance obligations. The concept of joint responsibility contributes to the more complete protection of the rights of visitors.
As a result of the decision, businesses now need to take into account the collection of data and disclosures by their partners when they enable that data collection and benefit from it.
The decision acknowledges that the responsibility of the parties for the collection and processing of the personal data of visitors may be unequal. In other words, just because the parties are considered joint controllers does not mean their level of responsibility is 50-50.
Although the decision is specific to Facebook, there is no reason to think that this interpretation will not be extended to other social media platforms that collect data about users and provide that data back to business account holders.
The decision is also an indication that the CJEU is going to take a broad view of the new privacy obligations that went into effect and companies will need to be ready to adapt to decisions of the court and data protection authorities as they unfold.
Every business that is concerned about its GDPR compliance now needs to extend those initiatives to its social media accounts because of its status as a joint controller there.
Discover the Benefits of Privacy Management Software with Clarip
The Clarip data privacy software and team are available to help improve privacy and trust at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, try our modular GDPR software. Start with our automated GDPR data mapping software, enhance your privacy program with DPIA software, and meet ePrivacy requirements with the cookie consent manager.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
