On a Facebook page, companies and brands can present themselves on social networks and exchange ideas with their own customers — free of charge. Small companies in particular therefore often decide not to have their own website and to maintain a Facebook page.
The Conference of Independent Federal and State Data Protection Authorities (colloquially: Data Protection Conference) has now positioned itself in a collection of frequently asked questions about Facebook pages and is warning of data protection pitfalls.
What makes a Facebook page a data protection problem?
In short: As the operator of a Facebook page, you are partly responsible for what happens with the data of your “fans” or customers. Of course, the Meta Platforms Group, as operator of Facebook, is initially responsible for this. Meta processes user data to show users tailored advertising — that is their business model. But exactly which personal data is processed in which way — that remains opaque at Meta. In addition, Meta also transmits its users' data to countries outside Europe. This is only permitted if the requirements of the GDPR are met — and Meta does not guarantee that either. As the operator of a (company) page on Facebook, you also collect and receive personal data in the form of so-called “insights”.
With a ruling of June 5, 2018 (C-210/16, “Wirtschaftsakademie”), the European Court of Justice (ECJ) has now confirmed the view of the supervisory authorities that the operators of Facebook pages have (co-) responsibility for the processing of this user data.
As a site operator, what can I do now?
It's a dilemma: In theory, you would have to guarantee your users that the personal data you receive as part of your Facebook page will only be used in accordance with the law. However, you can't — at least not as long as Facebook or Meta does not disclose the details of data processing. So far, Meta has also shown no interest in complying with the GDPR requirements or creating a solution together with site operators.
If you want to comply with the law, all you have to do is close your Facebook page. The Data Protection Conference recommends this radical step in particular to public authorities, as these will be particularly the focus of data protection supervisory authorities due to their role model function.
Which alternatives can I use?
Only the lack of legal compliance of Facebook pages has currently been clarified in court. However, it can be assumed that the framework conditions for other social media platforms such as Instagram, Twitter, TikTok, etc. are similar: As a normal user or site operator, you will not know what actually happens with your and your customers' data.
Public relations should therefore rather take place within a legally compliant framework: on your own website (e.g. in the form of a blog or micro-blog), in print products or at events such as open days.
What happens if I keep my Facebook page?
Non-public employers may be asked by a supervisory authority to close their site. The authority also has the option of imposing fines. In addition, it is possible for affected users to contact the operators of Facebook pages with claims for damages in accordance with Article 82 GDPR.
Why should regulators contact my company and not Facebook?
Because Facebook or the Meta Platforms Group are not the respective data protection authorities in your federal state responsible, but the Irish supervisory authority. In line with the so-called principle of effective security, a German supervisory authority will always first contact local companies — and not the group abroad.