On June 5th, 2018, The Court of Justice of the European Union (CJEU) delivered a decision on the responsibility of those Facebook users who have fan pages.
This decision is very important to those who use fan pages to promote their company or business and it was brought about by a case brought against a German training academy, Wirtschaftsakademie, by The German Data Protection Supervisory Authority for the Schleswig-Holstein Region (GDPSA).
The regulator found that Wirtschaftsakademie was a data controller and ordered it to remove the fan page or face a heavy fine.
After some rounds of appeal, it was found that although Wirtschaftsakademie was not responsible for the actual processing of the data by Facebook, they were considered a data controller.
Should you wish to read more detailed information on the descision and the case, it can be found on ActNow’s blog, here.
What does all of this mean for anyone who wishes to run a fan page on Facebook?
Well, let’s run through a couple of definitions first, to get an understanding of the difference between a data controller and a data processor.
Article 4 (7) of the GDPR states:
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
In other words, a data controller decides what data to collect, how to collect it and what will be done with it.
Article 4 (8) of the GDPR states:
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
This means that a data processor does things with the data in accordance with their agreement with the data controller.
In setting up the fan page, they were influencing the personal data processing and could also decide which statistics they would receive from Facebook. The statistics could be crafted to provide demographic and data and they could specify the categories of visitors for whom they would get data.
All of the above is decision-making activity, and so Wirtschaftsakademie was found to be a data controller.
In an ideal world, Facebook would provide an option for non-commercial fan pages to use anonymous data, so that limited statistics can be produced but none that can be used to personally identify visitors. In reality, that is unlikely to happen.