As result of the latest European Court of Justice decision regarding the administration of Facebook fanpages, Facebook has recently published an Agreement for data processing activities that aims to comply with the said ruling.(Available here).
This article contains an analysis from a data protection law perspective that will determine if the solution implemented by Facebook fully complies with what was ruled in ECJ decision or if the approach of the company is still incompliant.
European Court of Justice decision
Hence it cannot be alledged that Facebook acts as a processor in the relationship at stake, as the company also determines the means and purpose of the data processing operations. It would be a fallacy to state that Facebook limits its actions to follow the instructions provided by the companies operating these fanpages. Therefore, Facebook cannot be considered as a processor in terms of Art. 28 GDPR.
On the other hand, the operator of the fan pages is also deemed as Controller as, it may define parameters of the activities developed in the fan pages, for example by defining the targeted audiences and deciding which campaigns and other activities shall be organized via the fanpage.
As a consequence, and in line with that was said in the ECJ decision, companies operating Fanpages jointly with Facebooks are categorized as joint controllers.
Processing Personal Data as Joint controllers
According to Art. 26 GDPR, where two or more controllers jointly determine the purposes and means of a processing operation, they shall be deemed as joint controllers. Under this same provision, joint controllership can only be lawfully exercised when a formal agreement between the parties is concluded where the parties clearly and transparently agreed into the roles and the allocation of the responsibilities for legal compliance among the controllers.
Facebook’s implementation of the ECJ decision
As a result of the decision of the ECJ, Facebook established an agreement that – according to the company- complies with what was stipulated by the ECJ.
However, the agreement published by Facebook have the essential characteristics of an agreement of other kind and not of the one described in Art. 26 GDPR. The document provided by the company seems to be an agreement that fills more the characteristics described by Art. 28 of the GDPR.
Art. 28 GDPR defines the agreement that regulates the relationship between a data processor and a controller. A controller to processor agreement pursuant to Art. 28 GDPR is only required when one of the parties carries out the data processing on behalf of another following its exact instructions, being the latter the controller in the relationship. Therefore, the agreement proposed by Facebook does not apply to the case in study as Facebook, in relation to data processing operations in fanpages, codetermines the means and purposes of the personal data processing, which according to GDPR and the ECJ decision, categorize Facebook as a controller. This agreement does not adequately represent the reality of the processing activities.
Legal analysis of the Facebook agreement in light of GDPR:
Besides the reasons expressed in the section above, the agreement propose by Facebook does not comply with the GDPR and does not reflect the reality of the processing operation with regards to fanpages.
In light of Art. 28 para. 3 GDPR, the Facebook agreement lack of the following elements that a controller to processor agreement should have:
- Facebook does not only process data on documented instructions from the controller;
- Confidentiality clause of employees with access to PD;
- Return / deletion of data;
- Audit rights of the controller or auditor assigned by controller; and
- EU Standard contractual clauses as data is transferred to the US.
The data transfer agreement does not include critical issues such as:
- Sub-Processing without written authorization nor right to object;
- No required format on supporting data subject requests;
- No documentation of implemented technical and organizational measures; and
- SOC 2 Typ II proof of TOMs not formally recognized by the GDPR and / or courts.
As explained in the sections above, Facebook always processes data for their own purposes. The art. 28 GDPR agreement proposed by Facebook does not sufficiently represent the obligations of an Art. 26 GDPR agreement. Even though Facebook apparently does not provide any right to object, if you wish to continue using any of the offered Facebook service, you are obliged to accept this contract. An insufficient contract for data processing provides certain risks with regards to the security of data. If you as a business decide to continue using Facebook services, we recommend to raise the attention of your Facebook contact person and request an agreement in terms of Art. 26 GDPR. Please document your request and the reply provided by Facebook.
Due to last ECJ decision and the current investigations of the UK’s Information Commissioners Office, some sanctions and fine to Facebook are expected.