After almost three years of radio silence (last statement from 2019 available here), the Datenschutzkonferenz, the association of German data protection authorities ("German DPAs"), issued two new publications on the operation of so called Facebook fanpages ("Fanpages") on 24 March 2022: (1) a short expert opinion ('Kurzgutachten' in German, "Expert Opinion", available here) and (2) a decision made based on the Expert Opinion ('Beschluss' in German, "Decision", available here). Neither of the publications contain any surprises, but - again - organizations ask: What shall we do?
But first things first - what do the Expert Opinion and the Decision say?
Expert Opinion:
In essence, the Expert Opinion mainly reiterates the German DPAs' opinion that the operation of Fanpages does not meet data protection standards for the following reasons. The Expert Opinion however also takes into account newest case law, namely the decision of the OVG Schleswig dated 25 November 2021 (docket no. 4 LB 20/13, "OVG Schleswig Decision", available here):
- According to the German DPAs, Facebook (now Meta) provided insufficient information with regards to the concrete data processing activities on Fanpages resulting in Fanpage operators being unable to provide sufficient information pursuant to Art. 13 GDPR.
- Further, the "Page Insights Controller Addendum", the joint controller agreement pursuant to Art. 26 GDPR that Meta has been making available to Fanpage operators in light of a 2018 CJEU judgment, was insufficient for the same reason (for details please also see our blog post on this, available here - not new, but still current and applicable in this regard).
- Fanpage operators - public as well as non-public ones - were lacking a legal basis pursuant to Art. 6 GDPR regarding data processing on Fanpages in connection with the Insights Analytics functionality.
A focus of the Expert Opinion, in contrast to old publications of the German DPAs where this was more of a side issue, is on cookies used on Fanpages (likely in focus because of Germany's new cookie law that came into effect on 1 December 2021). According to the Expert Opinion, the cookies set in connection with visits of Fanpages require consent and the respective consent banner provided was insufficient, resulting in an additional aspect leading to non-compliance with data protection standards.
An interested fact to be noted: In the Expert Opinion, the German DPAs - once again - disagree with a court's decision and thus suggest that they are unaware of their position within the German seperation of powers model: According to the OVG Schleswig Decision, Fanpage operators do not have an interest in the Insights analytics data being combined with other data for the creation of profiles in order to use such profiles for subsequent advertising activities. According to the court, Fanpage operators are hence not responsible for such processing, but Meta alone is. The German DPAs disagree with this, stating that Fanpage operators do have an interest in such profiling and advertising as they were only able to opertae Fanpages free of charge due to the facts that Facebook earns money with such advertising.
Decision:
The Decision mainly sums up the findings of the Expert Opinion and clarifies that the Expert Opinion forms "an important basis for [the German DPAs] supervisory activities towards public and non-public entities.". TheGerman DPAs however stress in the Decision that due to their exemplary function, public authorities are the primary focus of attention for the German DPAs' enforcement actions.
What now? Should organizations shut down their Fanpages?
The German DPAs' newest publications increase the risk with regard to possible enforcement actions against Fanpage operators, as they add another "We told you so!" to the German DPAs' list of arguments. The very prudent way would thus be de-activating Fanpages.
BUT
: Organizations that still operate Fanpages despite the 2018 and 2019 publications from the German DPAs have decided to continue the operation based on internal assessments in which pros and cons of operations were weighed against each other. In other words: Organizations have had their reasons to continue operating Fanpages. Thus, these oragnizations should re-assess the situation and determine: Why do I operate the Fanpage? Do I need it, i.e. do the benefits outweigh the risks (= possible GDPR fines)? Are there alternatives for me?
In any case, organizations need to ensure that they do everything that is possible within their sphere of responsibility to operate a Fanpage (also see the 'first aid kit' at the end of our article available here), i.e. make a privacy policy for the Fanpage available (although the German DPAs do not deem it sufficient), 'accept' the Page Insights Controller Addendum (available here) and monitor developments.
Despite the Expert Opinion and the Decision there are various authorities, even supreme Federal authorities like Federal Ministries who still operate their Fanpages. If not even state organs are impressed by the German DPAs' opinion, why should private organizations be? Also - are German DPAs really interested in the data subjects' freedoms and rights when it comes to Fanpages or or is there a much bigger goal behind it that they can't reach directly and try to target by 'detour' via organizations?