By Jeppe Songe-Møller
All companies that processes personal data must ensure that they comply with the obligations in the EU's General Data Protection Regulation (GDPR). The obligations will also apply when a company uses social media, for example by creating a business page on Facebook.
In essence, a company's compliance efforts shall include measures to ensure that the privacy of data subjects is safeguarded. Companies that ignore the fundamental GDPR requirements risk administrative fines, monetary claims from data subjects and unwanted press coverage. According to the GDPR, a company shall evidence that it has carried out a risk assessment and considered privacy consequences of using Facebook for business communication.
The roles and responsibilities in social media have been emphasized through case law from the European Court of Justice (CJEU). In particular, two judgments, Wirtschaftsakademie (C-210/16) and Fashion ID (C-40/17), show that interaction between social media and other actors can lead to joint responsibility under Article 26 of GDPR.
The conclusion of The Norwegian Data Protection Authority to stop using Facebook, is based on a Data Protection Impact Assessment (DPIA) including the requirements for so-called joint data controllers. In our opinion, most companies may continue using Facebook in their business communication if they follow this step-by-step guide:
A company using Facebook for business communication should acknowledge its responsibility for processing and for fulfilling the obligations in GDPR, just like all other companies that process personal data. The company shall define itself as data controller, including implementing appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with GDPR. This includes maintaining a record of processing activities, i.e. a systematic overview of personal data that is being processed by the company. The record should also describe processing of personal data that takes place by having a page on Facebook.
As data controller, the company creating a Facebook page should take measures to provide transparent information to the data subjects. The communication should be concise, intelligible and easily accessible, using clear and plain language. The company should provide the information in writing through a privacy notice on its webpage or similar. Certain mandatory information needs to be included in the privacy notice, such as legal basis, purposes and data subjects' rights. The privacy notice should also include specific information about the company's use of Facebook.
A company having presence on Facebook should assess whether the processing is necessary and proportional. The goal is to ensure that the choices the company makes as data controller are legitimate and carried out so that the processing is proportional to the purposes. The company should address whether the privacy principles (GDPR Articles 5, 6 and 9) and the data subjects' rights (GDPR Articles 12-22) a) have been safeguarded. Built-in privacy and "privacy as default" are also keys requirements that should be described by the company. The company may use information in Facebook's Help Center to facilitate the assessment.
As indicated by recent EU case law, the company and Facebook may be seen as so-called joint controllers according to GDPR Article 26. Essentially, this requires an arrangement that determines the responsibilities for compliance with GDPR, in particular as regards the exercising of the rights of data subjects and the duties to provide information referred to in GDPR Articles 13 and 14.
The issue here is that companies will not have the opportunity to enter into its own agreements with Facebook. Interestingly, the CJEU clarified in Fashion ID that although the term "controller" should be given a broad interpretation, a company cannot be held responsible for upstream or downstream processing operations in the chain for which it does not determine the purpose or the means of processing. In this regard, CJEU held that Facebook (not Fashion ID) was the data controller for the processing taking place after the personal data related to the "Like" plug-in has been transferred to Facebook. To put it short, companies that do not embed Facebook's "Like" button seems to be better off in terms of compliance than those who do.
An important tool to ensure compliance is to carry out risk assessments and consider privacy consequences, e.g. by conducting a DPIA. The risk assessment of using Facebook in business communication shall be evidenced by the company in writing. The assessment should include the nature, scope, purpose, context, sources and recipients of the personal data processing, as well as an assessment of information security consequences by having a page on Facebook. The aspect of international data transfers should also be taken into account (please read our previous newsletters regarding Schrems II). If the assessment concludes that that the processing of personal data through a page on Facebook entails a high risk for the data subjects, the company – as the owner of a Facebook page – must be able to implement measures that reduce the risk sufficiently.
The Norwegian Data Protection Authority has chosen not to use Facebook. This does not mean that your company's risk assessment will conclude in the same way.
Firstly, the report by the authority would only apply to the authority's own use of Facebook. The DPIA conducted by the authority is not a general assessment of the legality of using Facebook for business communication. Secondly, there is also much to indicate that the authority has made a quite strict interpretation of Facebook in light of its role as Norway's privacy watchdog and ombudsman.
However, it is clear that companies need to assess the privacy risk associated with having a page on Facebook. Specific information should be given in a privacy notice about the legal basis and purpose of using Facebook for business communication. The aspect of joint controllers, necessity, proportionality and built-in privacy should be taken into account. There are several thing to keep in mind for companies that choose to use Facebook.