Schjødt's legal memo on the use of Facebook Pages

by Eva Jarbekk & Øyvind Eidissen


Woman working on laptop
Earlier this year, Schjødt held a seminar with Meta Platforms Ireland Ltd. ("Meta") on the legal framework for using Facebook Pages. On assignment by Meta, we have carried out a legal assessment of the Norwegian Data Protection Authority's ("NDPA") published DPIA on the use of Facebook Pages. Our partners Eva Jarbekk and Øyvind Eidissen have been in charge of the assessment.


Following the EU Court of Justice ("CJEU") in the "Wirtschaftsakademie" ruling, the NDPA issued a DPIA on their decision not to use Facebook Pages and on the joint controllership for Page Insights. The NDPA did not claim that it was illegal to use Facebook Pages, but the fact that they went public with their decision not to use Facebook Pages has caused insecurity in Norway on whether Facebook Pages may be used legally.

As regards the scope of our memo, it encompasses a thorough legal analysis and assessment of the NDPA's DPIA in light of the EU General Data Protection Regulation ("GDPR"), relevant EU case law and leading legal theory. While our memo has been commissioned by Meta, it does not necessarily represent Meta’s legal views and positions. Our assessments are our own.

Summary of findings

In conclusion, our memo concludes that parts of the NDPA's report are deficient and imprecise, especially with regard to its view on joint controllership when using Facebook Pages. Our view is that the joint controllership between Meta and page admins is defined in an adequate way in accordance with the legal requirements. This stands in contrast to what the NDPA publicly states.

For the collection and processing of personal data to generate "Page Insights", the page admin and Meta are joint controllers. But this does not mean – or require – that the division of responsibilities is equal. The above implies that, in our opinion, most organisations should be able to conclude that they may use Facebook Pages in compliance with the GDPR, but they must conduct their own assessments of legal basis for processing of personal data. We have also questioned the NDPA's emphasis on arguments of a more subjective "ethical" nature than mere legal arguments, which we believe are irrelevant in a legal assessment according to the GDPR.

Slides from our seminar are available on request. You are welcome to contact us should you have any questions.

Do you have any questions?