Is the ruling of the ECJ ruling on Facebook fan pages adequately implemented?
in 2018 an agreement on the General Data Protection Regulation (GDPR) was published as the result of the ECJ's Facebook fan pages decision. It should have the goal for Facebook to comply with this judgment. An analysis on the decision of the Facebook Custom Audience.
The European Court of Justice ruling on the Data Protection Regulation
Facebook is not acting as a processor in this questionable relationship, but in computing it determines the purpose and way in which it stores and evaluates the user's data.
On the other hand, the operator of the fan page is also considered responsible, who can define parameters in his pages and the activities developed from them. He can thus define target groups and decide which other activities and campaigns he wants to organize via his fan page. For example, companies that operate Facebook fan pages are classified as jointly responsible according to the ECJ ruling (Art. 26 GDPR).
The implementation of the ECJ ruling of the Bavarian Administrative Court based on Facebook
Following the implementation of the ECJ ruling, Facebook has published an agreement as a result. This provides that the company wants to comply with the requirements of the judgment. However, on closer inspection, there are considerable doubts. The "Agreement" of Facebook presented in this context reflects some elements of the order processing of Article 28 of the GDPR, instead of conforming to Article 26 of the Regulation, which refer to the Joint-Controller Contract. This comes in particular to the course, if an online shop is operated with the participation of Facebook. Here is to be mentioned in particular.
- Not only data and documented instructions of the customer are processed by Facebook.
- Employees and employers which have access to personal information need to have a special confidentiality clause, for which they must declare their consent.
- Under special conditions, Facebook undertakes to delete or otherwise return personal data.
- Persons in charge who have a Facebook account or have it created by an authorized auditor have the right to scrutinize.
- As data from the Facebook user is transferred to the US, a reference to existing EU standard contractual clauses must be made.
Further critical points resulting from this ruling to keep in mind
- Subcontracting is permitted without written permission or a right to object.
- For requests from stakeholders, the support does not require a required format.
- No further documentation is needed for organizational and technical measures.
- Evidence provided in SOC 2 Type II shall be declared as appropriate and so as to comply with all technical and organizational measures.
One should expect a global corporation, such as Facebook, to be aware of the difference between an agreement between a joint controller contract and the article 28 of the Data Protection Regulation. He should work out an agreement on this which contains well-sounding phrases that are almost right under data protection law. This should make it clear to everyone involved that Facebook is the sole person responsible, as they only process data for their own purposes.