Task

Thema 6 – Facebook Fanpage

Das Unternehmen möchte eine Facebook-Fanpage erstellen. Hier sollen nicht nur Kunden angesprochen werden, sondern auch potentielle neue Mitarbeiter. Prüfen Sie, welche datenschutzrechtlichen Anforderungen beachtet werden müssen.

A company wants to have a Facebook Fanpage. Not only to interact with clients, but to new potential hires. Test which data protection regulations need to be considered.

Intro

I’ll start with describing Fanpage in general, without the scenario of using them for the purposes described. I’ll focus on clients and workers in the second part.

Facebook fan pages

Basics

Facebook is a social network; while standard Facebook profiles are used by private people, Facebook fan pages are used to represent companies (organizations, bands, …), mostly for marketing purposes. They offer additional tools for analysis and engagement, such as “Insights”.

Facebook Insights

Facebook Insights provides to Fanpage admins additional data about people interacting with it. It’s in anonymized and aggregated form. For non-logged-in people it’s only clicks and views, for logged in users a lot more. This data is not identifiable directly, but identifiable in aggregate.¹²

Both sample action and other info used are listed in the Facebook Page Controller Addendum².

• Sample actions:
  • viewing a page/post/video/story
  • liking/unliking
  • hiding a page
  • hovering over a link to see the preview
• Sample data about the person doing the action:
  • For logged-in users:
    • Facebook user ID (for logged in users only)
    • Age/gender group (from user profile for logged in users only)
  • For both logged-in and non-logged in users:
    • Country/City (estimated from IP address or imported from user profile for logged in users)
    • Language code (from browser’s http header and/or language setting)
    • Website previously visited (from browser’s http header)
    • Whether the action was taken from a computer or mobile device (from browser’s user agent or app attributes)

What’s notable is that part of the latter are things the user itself can’t access or control easily, such as user agent, location estimated from IP, etc.

Relevant laws

Two main regulations are discussed here:

• The General Data Protection Regulation (2016/679, “GDPR”), a regulation in EU law on data protection and privacy in the EU
• The Telekommunikation-Telemedien-Datenschutz-Gesetz³ (TTDSG)

Personal data in the context of Fanpages

Personal data comes into play just by visiting such Fanpages, and can be roughly divided into two scenarios: when the user is logged in or the user is not logged in.

As discussed in the short paper⁴ published by the Thuringian data protection authority (TDPA) on 25 March 2022, a number of cookies are set by Facebook, and the purpose of all of them is either unknown or not completely clear; the three most notable ones are listed below.

A logged in user (one who has a Facebook profile, and therefore during registration, entered data such as name, phone number, city, etc.) gets a c_user cookie. When this user visits a Fanpage, it allows Facebook to identify him and, therefore, match the visit to the full data available.

For logged in and non-logged in users alike there’s the datr cookie (allegedly used for security but just as usable for profile building) and fr, used explicitly for advertising. While alone they might not be enough to connect to a specific person, it’s very likely that the context available to Facebook (including other cookies, the IP address, etc.) would be enough to do that. Not discussed in the TDPA’s short paper, but I assume the additional data about the person doing the action mentioned in the section Facebook Insights would also heavily contribute.

Use of that personal data and consent

We’ve established that Facebook processes personal data, and can now analyze questions of GDPR compliance.

According to Facebook, c_user cookie is used not just for authentification, but for other purposes too, purposes it describes vaguely. The data in Insights clearly comes from Facebook profiles, and c_user is the cookie allowing that. In the TDPA’s opinion (from the same short paper⁴) it’s used for statistics and marketing purposes. Similarly the use of the other cookies, too, seems to be wider than stated (or required by the stated purposes).

The consent for the processing of personal data is dealt with in Art. 7⁵ of the GDPR and Art. 25⁶ of the TTDSG. There are issues with the consent popups Facebook uses, such as not all relevant information being immediately shown, agreeing to everything is much easier and requiring fewer clicks than agreeing to part of the uses, and the language being unclear. It’s not an attempt at honest explanation, its’s the opposite - efforts and dark patterns to get a person to agree to what Facebook wants them to.

For meaningful consent, the user has to understand that the data from even just opening the Fanpage will be used for profiling and marketing even outside of that Fanpage - this is different from the expected purpose of a Fanpage and not obvious in the slightest.

All together, in the opinion of the TDPA, it leads to the consent mechanism not fullfilling all the requirements of GDPR Art. 7 and TTDSG Art.25, and potentially misleading users about how Facebook uses their personal data.

Role of Fanpage administrators

The EU Court of justice (ECJ) ruled on 5 june 2018 that Fanpage administrators must be regarded as a controller jointly responsible for the processing of private data.⁷⁸ By setting up such a page, Facebook Fanpage administrators give to Facebook the ability to set and read cookies on users’ devices, thereby contributing to the process. And on the topic of data collected by Insights, even if the Fanpage admins don’t have access to all of it, they control/influence its processing through their actions. For example, by asking for demographic data from Facebook Insights, the admins trigger the processing of that data.

For me personally, that was the surprise - a Fanpage admin can be (as joint controller) responsible for the processing of personal data even if he doesn’t have access to it.

GDPR Art. 44⁹ deals with the topic of personal data being transferred outside the EU. There was no explicit opinion of the TDPA on the topic, but details about such data transfer if it exists (it almost certainly does) is another thing the Fanpage admin should know about to make sure it conforms to Art. 44. Art. 49 1) a)¹⁰ specifies that (unless the case is compliant to Art. 46 or Art. 45 3)) the user has to explicitly agree to take the risks connected with sending his data to third countries.

Responsibilities according to Facebook

Facebook itself seems to agree with the ECJ and states in the page controller addendum²:

You and Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (“Facebook Ireland”, “we” or “us”; together the “Parties”) acknowledge and agree to be joint controllers in accordance with Article 26 GDPR for the processing of such personal data in events for Page Insights (“Insights Data”). The joint controllership covers the creation of those events and their aggregation into Page Insights that are provided to Page admins.

There they offer additional details about Page Insights, and on the topic of responsibilities, they split them as follows (bold mine, for emphasis):

Facebook Ireland: Facebook Ireland will ensure it has a legal basis for the processing of Insights Data which is set out in Facebook Ireland’s Data Policy (see under “What is our legal basis for processing data?”). Unless specified otherwise in this Page Insights Addendum, between you and Facebook Ireland, Facebook Ireland assumes the responsibility for compliance with the applicable obligations under the GDPR for the processing of Insights Data (including, but not limited to, Articles 12 and 13 GDPR, Articles 15 to 21 GDPR, Articles 33 and 34 GDPR). Facebook Ireland will implement appropriate technical and organisational measures to ensure the security of the processing in accordance with Article 32 GDPR. This does include the measures listed in the Annex below (as updated from time to time, for example to reflect technological developments). All employees of Facebook Ireland involved in the processing of Insights Data are bound by appropriate obligations to maintain the confidentiality of Insights Data.

Page admins: You should ensure that you also have a legal basis for the processing of Insights Data. In addition to the information provided to data subjects by Facebook Ireland via the Information about Page Insights, you should identify your own legal basis including the legitimate interests you pursue, if applicable, the responsible data controller(s) on your side including their contact details as well as the contact details of the data protection officer(s) (Article 13(1)(a-d) GDPR), if any.

The short paper of the TDPA thinks this division of responsibilities is still not clear enough:

Im Oktober 2019 hat Facebook eine unwesentlich aktualisierte Version der „Seiten‐Insights‐Ergänzung bezüglich des Verantwortlichen“ sowie der „Informationen zu Seiten‐Insights“ veröffentlicht (abrufbar unter: https://www.facebook.com/legal/terms/page_controller_addendum). Die dort enthaltenen Informationen skizzieren lediglich den Leistungsumfang von Seiten‐Insights. Ob die hierfür eingesetzten Datenverarbeitungsprozesse datenschutzkonform stattfinden, kann anhand der dortigen Informationen nicht beurteilt werden.

How to have a GDPR-compliant Facebook Fanpage?

TL;DR you can’t. Art. 26 1) of the GDPR,¹¹ amongst other things, requires stating in clear and transparent for which party is responsible for what.

This and other questions come from a list by the Berlin Data Protection Authority¹² :

• who takes care of which information obligations (Art. 13 and 14.)?
• how does the right to deletion (Art. 17) and other (Art. 18, 21, 15) data subject rights (Art. 12) work?

A Fanpage admin must be able to answer questions such as to which extent personal profiles are enriched as a result of the Fanpage visits, whether non-members’ information is used for this, etc., all of these not necessarily easy questions to answer.

Since the Fanpage admins are co-responsible for the data, BUT they can’t know for certain how is personal data collected, processed and for which purposes it’s used by Facebook - they can’t make sure it’s GDPR-compliant. Therefore, there’s currently no legal way for Facebook Fanpage admins to have a Fanpage.

• The Higher Administrative Court of Schleswig-Holstein on 26 November 2021 ruled that the Wirtschaftsakademie has to deactivate their Fanpage, as they can’t have one in a GDPR-compliant way
• This was, too, the official position of the TDPA’s short paper⁴, which explicitly stated that until there’s a possibility to legally operate Fanpages, they have to be deactivated.
• The German Data Protection Conference issued answers to frequently asked questions¹³ where they, too, state that administrating Fanpage in a GDPR-conform way is impossible

How can one make an effort to be compliant?

Despite the above, Fanpage are still used often, including by organizations involved in the topic of privacy (for example ¹⁴). While it’s impossible to have a 100% compliant Fanpage, some steps to reduce the risk (with examples from real websites) are listed below:

• Art. 13
  • Clearly stating in the privacy policy of the website the presence of Facebook tracking (if present) and the consequences of following the link
    • Bertsch Innovation has a link to a Fanpage in the footer, but it doesn’t lead to the Fanpage itself, but to this explainer that THEN links to the Fanpage directly: GDPR for our Facebook Fanpage:

    By clicking on the button below, I consent to the data processing by visiting the Facebook Fanpage and to the transfer of my personal data to the USA. I can revoke this consent at any time with effect for the future by sending an email to …

    • Additional Facebook-specific details are also listed in their privacy policy: Data Privacy Policy Bertsch Innovation GmbH
  • Writing a Facebook Note with an Impressum and link back to your website on the Fanpage itself
• Art. 49¹⁰ - clearly state that the user’s data MIGHT be transferred to the USA and that they assume the responsibility for the risks connected with that
  • Example: again, see Bertsch Innovation’s privacy policy above.

  The security of the transfer is secured via so-called standard contractual clauses, which ensure that the processing of personal data is subject to a level of security that corresponds to that of the GDPR. If the standard contractual clauses are not sufficient to ensure an adequate level of security, your consent pursuant to Article 49 (1) (a) of the GDPR may serve as the legal basis for the transfer to third countries.

• An agreement between the Fanpage admin and Facebook, to fulfill as much of Art. 26¹¹ as possible:
  • Agreement with Facebook pursuant to article 26 GDPR | Mayser GmbH & Co KG

The task itself

Intro

The above was a general “You can’t have a GDPR-conform Facebook Fanpage” part with the conclusion “you can’t”, but if the risks are deemed OK (in my opinion, it’s a safe bet that they are), this second part discusses the use-case-specific questions. It excludes most things already mentioned in the first part, but they stay relevant.

A company wants to have a Facebook Fanpage. Not only to interact with clients but to new potential hires. Test which data protection regulations need to be considered.

Compliance with GDPR principles

The principles relating to the processing of personal data

As enumerated in Art. 5¹⁵, these principles are:

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality (security)
7. Accountability

Lawfulness, fairness and transparency

“When you process data, you should have a good reason for doing so”.

For a Facebook Fanpage, you probably can’t apply any of the other lawful bases for processing described in Art. 6¹⁶ except consent.

Ways informed consent applies could be:

• If you embed Facebook tracking pixels, like buttons or similar - don’t activate them until the visitor explicitly agreed to this in the consent popup.
• Inform the user about the risks associated with following the link to your Facebook Fanpage, such as by having an exit page before the direct link where they consent to this.
  • Clearly stating, too, that marketing and profiling by Facebook might be involved and that they are consenting to that, too. If you do it right, the user shouldn’t be surprised by this.
• Have an Impressum both in the Fanpage and the website itself
• Clearly state in your privacy policy the rest of the info needed to comply with Art. 13 and Art. 49 (see above)

Lastly, if you use the Fanpage to get a list of people who, say,__ don’t believe in locking the door of their apartment, to then use it to rob apartments - it breaks a lot of laws but also this principle, as you:

• deceived them about the purpose you collected their data
• used that data in an illegal way

Purpose limitation

Except the points discussed above (Facebook’s use of the data), the specific use case has parts specific to it.

How did the users find out about the Fanpage?

If you gathered the users’ emails for the purposes of shipment tracking and communication about their orders, sending an email to them with “We have a Fanpage now, follow us on Facebook!” would be misusing their private data (email addresses) for purposes they didn’t initially agree to.

A link to the Facebook Fanpage in the email footer is probably fine, though (again, if not taking into account the entire first part of this text).

Interact with clients and future workers

A Fanpage that has info both about products and “We’re hiring! See our open positions:” is not directly in violation of this principle.

A “Join our Fanpage to be the first to know about our sales and offers” followed by adding people’s profiles to an HR’s talent pool, with the purpose of later cold-calling them (under the assumption that people who use your products would love to work for you) might be:

• no one allowed you to add their names and profiles (“collect their data”) to your talent pool, as liking a Facebook page doesn’t imply that
• and yes, this uses their data for a different purpose

And the other way around - if someone reacts to your “Now hiring” post on Facebook and sends you an email asking for details, using that email to send them info about sales would also break this principle.

Data minimization

Facebook gathers and keeps the data it does, and it’s better for everyone if you don’t do more.

For example, if you are looking for a future hire on LinkedIn, talk to them there, then find their profile among the people following your Fanpage, look at their likes and follows, and add that to his profile in your CRM, that would break this principle. There’s no reason why you need someone’s likes for hiring to begin with, too (“purpose limitation”).

Accuracy

Not everyone uses their real name and info on Facebook, and if you create a profile of clients based on their Facebook info too, one of the reasons this might be an issue if the data you end up with is incorrect - such as different city, different relationship status, etc. The person is not in any way obliged to have a factually true profile, and if you end up with inaccurate data because of that - that’s your problem.

Data changes, too - for example, if data from the Fanpage is used for internal purposes (and the user knows about it), then there should be a process in place to track if the Facebook profile info changed, to update it wherever else it’s stored.

Storage limitation

Another example: if you do a “like our Facebook page until the end of February 2023 and receive a discount, but only once!” thing, you would keep a list of people who liked your page and received their discount. But there’s no need to keep that data after February 2023.

If you want to know how many people liked your page because of that, after this is over you should anonymise this data (or just save the numbers, but not the people).

Or, back to the “data minimization” example, if you keep someone’s likes in their profile even after you hired them this would break this principle too.

Integrity and confidentiality

Essentially, this is about keeping the data safe. This involves both the usual security measures for any data from the examples above you keep outside Facebook, but also this involves making sure the Facebook account you use to administer the Fanpage is, too, safe.

Accountability

A start could be documenting the way compliance with the basic tenets of the GDPR is handled, and documenting the steps taken to make the Fanpage GDPR-compliant itself (such as having an agreement between you and Facebook for the purposes of Art. 26 etc.), as described in the first part of this text.

Useful references

Legal/official:

• The German Data Protection Conference (‘DSK’)’s 22 June 2022’s FAQ for Facebook page admins¹³
• Thuringian Data Protection Authority Short/position paper⁴
• The list of questions for Facebook Fanpage owners sent by the Berlin Data Protection authority¹²

Facebook:

• Facebook page insights: https://www.facebook.com/legal/terms/information_about_page_insights_data¹
• Facebook page insights addendum https://www.facebook.com/legal/terms/page_controller_addendum²

Helpful resources:

• Really nice German human-readable explanation of the topic, on a website of a “Berater für Datenschutz und Informationssicherheit” who has a Fanpage linked in the footer: Facebook-Fanpage vs. DSGVO - konform oder nicht? - Wolfgang Zwanzger¹⁴
• How to make a Facebook business page GDPR compliant?
• Principle (a): Lawfulness, fairness and transparency | ICO has nice explanation of the principles - it’s the UK GDPR, but it broadly follows the EU GDPR.