Facebook fan pages are very popular with businesses. They enable companies to achieve a high reach at comparatively low or no cost. Although the issue of data protection is often considered in this context, very few people take a close look. The "Taskforce Facebook Fanpages" of the Data Protection Conference (DSK), the body of independent German federal and state data protection supervisory authorities, took a close look and came to a devastating conclusion: Facebook fanpages are illegal under data protection law.
What are Facebook Fan Pages?
A Facebook fan page is a kind of "mini website" within the Facebook network. On this "mini-website", entrepreneurs can present themselves and their products and/or services.
From a marketing point of view, a Facebook fan page is interesting for many companies and certainly indispensable for some.
Why must data protection law be observed for a Facebook fan page?
When using Facebook and Facebook fanpages, cookies are inevitably set (so-called c_user, datr and fr cookies), which are to be classified as personal data according to both recital 36 of the GDPR and the case law of the ECJ.
In particular, however, visitor statistics are created when visiting the Facebook fan page, and for registered visitors also non-anonymized visitor statistics. Both Facebook (more precisely: the company Meta) and the operator of the Facebook fan page can access these visitor statistics. The processing purpose of these visitor statistics is often unclear. It can be assumed that the visitor statistics are processed by Meta for advertising purposes.
Why is the operator of a Facebook fan page responsible under data protection law?
Many operators of Facebook fan pages are probably wondering why they are responsible for any data processing operations on "Facebook" at all.
On this issue, the ECJ already ruled in 2018 that the operator of a Facebook fan page, by setting up such a Facebook fan page, enables Meta to place cookies on the computer or any other device of the person who has visited his Facebook fan page, regardless of whether this person has a Facebook account. Thus, the operator of the Facebook fan page makes a significant contribution to the processing of personal data of the visitors of the Facebook fan page and is therefore (jointly) responsible under data protection law. Based on this consideration, Meta and the operator of the Facebook fan page are jointly responsible under data protection law pursuant to Art. 26 DSGVO.
Why is a Facebook fan page illegal under data protection law?
According to the DSK, Facebook fan pages are contrary to data protection law for the following reasons:
- The consent that Facebook obtains from visitors does not meet the requirements of Section 25 (1) TTDSG in conjunction with. Art. 7 DSGVO and is therefore invalid. Consent is also required. The processing of the personal data of visitors to a Facebook fan page are not technically necessary for its operation.
- The description of the data processing in Facebook's "consent banner" is superficial and incomplete, and thus does not meet the requirements under Art. 13 (1) GDPR.
- Pursuant to Art. 5 (2) of the GDPR, operators of Facebook fan pages cannot prove that an effective agreement exists with Meta on joint data protection responsibility pursuant to Art. 26 of the GDPR. The documents cited by Meta via various links do not satisfy the requirements under Art. 26 GDPR.
- Finally, the FDPIC doubts whether the requirements for a third-country transfer pursuant to Art. 44 et seq. GDPR are met. There is no doubt that personal data are transferred to a third country. However, the DSK's expert opinion does not contain any specific findings in this regard.
What do the courts say about Facebook fan pages?
According to a decision of the OVG Schleswig-Holstein of September 4, 2014 (Case No. 4 LB 20/13), the operation of a Facebook fan page is illegal under data protection law. A corresponding prohibition order by the responsible supervisory authority was lawful. After referral to the ECJ and subsequent review by the Federal Administrative Court, the OVG Schleswig-Holstein again ruled on November 25, 2021 that the prohibition order of the competent supervisory authority was lawful. In its reasoning, the OVG Schleswig-Holstein stated that the consent to the processing of personal data when using the Facebook fan page was invalid, the description of the data processing did not meet the requirements under Art. 13 (1) of the GDPR, and the requirements for joint data protection responsibility under Art. 26 of the GDPR were not met.
What you need to do?
The issue of Facebook fanpages is red-hot for you:
- It is to be feared that all German supervisory authorities could follow the DSK's brief opinion and gradually issue prohibition orders.
- There is a higher and supreme court ruling on the subject of Facebook fan pages. Here, too, it is to be feared that other courts will follow the decision.
- Since the ECJ's decision of April 28, 2022 (Case No. C-319/20), consumer protection associations may now also take action against violations of the protection of personal data and, if necessary, also file lawsuits.
They may therefore also be targeted by consumer protection associations, some of which have considerable financial and human resources. It can also be assumed that some consumer protection associations are trying to tap into new sources of revenue in the area of data privacy.
Violations of data protection regulations by Facebook fan pages can result in warnings, lawsuits and/or fines of up to 20 million euros!
If you want to take the safest route in terms of data protection, you need to turn off your Facebook fan page!
Time may also be working for you. Meta will certainly follow the developments of data protection law in Europe closely and ideally work on solutions. Especially the Facebook fanpages have a high importance for Meta, because this strengthens the so-called network effect, which significantly promotes Meta's business interests (advertising). Meta is thus likely to have a strong interest in many Facebook fan pages. This goal would be undermined if companies shut down their Facebook fanpages due to data protection uncertainty.
We are happy to support you in data protection issues relating to Facebook fanpages and represent you in the event of warnings or in proceedings before the supervisory authority or in court.
GoldbergUllrich Lawyers 2022
Julius Oberste-Dommes LL.M. (Information Law)
Specialist lawyer for information technology law