If you operate a Facebook Page, both you and Facebook may need to follow the European Union's General Data Protection Regulation (GDPR). Facebook has specific rules on how it splits GDPR responsibilities with Page administrators.
- 1. GDPR Basics
- 2. GDPR Controllers and Processors
- 3. Facebook Page Insights and Personal Data
- 4. Page Insights Controller Addendum
- 5.1. Facebook Requirements
- 5.1.1. Legal Basis
- 5.1.2. Joint Controller Statement
- 5.2. GDPR Requirements
- 8. Summary
The General Data Protection Regulation (GDPR) is a European Union regulation, meaning it has legal effect in every country that's a member of the EU.
The GDPR applies to any personal data processing if:
- The business that processes the data (or decides how it's processed) is in an EU country
- The data subject (the person the data is about) is in an EU country, or
- The data processing physically takes place in an EU country
(Note that although the United Kingdom is no longer an EU country, it is currently scheduled to follow EU Regulations until the end of 2020. After that the same measures will still apply in the UK through domestic law until this law is revoked, amended or replaced.)
The GDPR sets out a wide range of rules about personal data processing. The fundamentals are that:
- It's only legal to process personal data in a limited range of circumstances, most commonly that the data subject has given meaningful consent or the processing is necessary for your legitimate interests.
- Processing means any use of data, including collection and disclosure.
- You must tell the data subject, in advance, the purpose or purposes for which you will process data.
- You must inform the data subject again (and get fresh consent if appropriate) before processing the data for a new purpose.
- The data subject has the right to know what data you store about them and whether you've disclosed it to a third party. They also have the right to correct errors and, in some circumstances, ask you to delete data.
- You must adequately secure the data.
GDPR Controllers and Processors
The GDPR holds two groups responsible for data processing.
- Controllers decide what data is collected and how it is processed. They may also carry out the processing.
- Processors carry out processing following the instructions of controllers.
In simple terms, both controllers and processors are responsible for complying with the GDPR, while controllers are also responsible for making sure processors working for them are complying with the GDPR.
The GDPR also allows for the situation where two different controllers make decisions about processing the same data. As long as the same data is processed for the same purpose, the two are considered joint controllers.
This has important legal consequences. Ultimately both joint controllers are individually responsible for all the processing and could be individually responsible for paying compensation after a breach. However, the GDPR does allow the joint controllers to set out who will be in charge of complying with which specific GDPR requirements. This includes who will take responsibility for dealing with any complaints or any communication with regulators (known under the GDPR as supervisory authorities).
Facebook Page Insights and Personal Data
For the most part the data processing and GDPR situation with Facebook is simple. When individuals post on their own account or in groups, it is Facebook that is collecting and processing data and thus Facebook that is classed as the controller whenever that processing comes under the GDPR.
The situation is more complicated with Pages. These work in a similar way to a personal profile but cover an organization, business or brand. Rather than users becoming "friends," users choose to "like" a page and can then see updates from it. Each Page is set up by a Facebook user who then acts as its administrator.
That created a legal argument that the Page administrator could be classed as a data controller because their decision to create the Page contributed to data being collected and processed.
As Facebook is also clearly a data controller in this context, it's down to Facebook and the Page administrator to determine whether they have joint controller status and how this will operate.
Page Insights Controller Addendum
The joint controller set-up is covered by the Page Insights Controller Addendum, which is part of Facebook's Pages, Groups and Events Policies. By creating a Page, you agree to this addendum and its position on joint controllers. In this context, "Facebook" means Facebook Ireland Limited.
The key points are as follows:
- Facebook and the Page administrator are joint controllers in the case of data collected through Page events (that is, interactions with the Page) and then aggregated to provide it to the administrator through Page Insights.
- The Page administrator is responsible for having a legal basis to process Insights Data.
- Facebook is responsible for most other aspects of GDPR compliance, specifically:
- Facebook's own legal basis for processing data
- Informing data subjects about the collection and processing
- Handling the data subject's rights such as access, correction and deletion
- Making any notifications after a data breach
Facebook decides how to comply with its GDPR obligations.
If a Page Administrator receives a data access request regarding Page Insights data, they must not respond. Instead they must pass the request on to Facebook within seven days using this form:
Facebook requires you to tell users what your legal basis is for the collection and processing of data through Page Insights. (Remember that you are jointly responsible for such processing.)
The GDPR sets out six allowable legal bases in Article 6:
- Processing necessary to perform a contract
- Processing necessary to comply with a legal obligation
- Processing necessary to protect someone's vital interests
- Processing necessary to carry out a task in the public interest or to exercise official authority
- Processing necessary for the controller's legitimate interests
Page visitors don't get enough information or give specific meaningful consent to make basis 1 suitable in most cases involving Page Insights. Bases 2 through 5 will rarely if ever apply to Page Insights.
This leaves basis 6, legitimate interests. For this basis to apply, you must go through a three point checklist:
- What exactly is the legitimate interest?
- Is the processing necessary to achieve this interest?
- Do the individual's personal data rights and freedoms override this interest?
Normally your access to Page Insights should meet these tests and thus legitimate interests is an acceptable legal basis.
Using Page Insights helps you learn more about your audience and thus improve and target the service and information you provide. The fact you can only access the information in aggregated form means it doesn't pose a serious risk or breach of privacy for an individual.
Romantic Germany goes beyond simply stating it relies on "legitimate interests" and instead explains to users what this means:
Joint Controller Statement
Lufthansa does this in a policy dedicated to its Facebook Page:
BASF gives additional detail on what data is processed through Page Insights, listing specifics like your country of location, number of visits, gender relations, etc.:
- Your identity and contact details that of your data protection officer (if you have one)
- What data you process
- The purpose for processing
- The legal basis for processing
- How long you'll keep the data
- Whether you share the data with anyone else
- The user's rights to access data, correct it, and ask you to delete it
Good Game Studios puts this information directly after the details of the Page Insights data processing:
- Answer a few questions about your business:
- Add your website or app information:
- Answer a few questions about what information you collect from your users:
- Select options for how your users can contact you:
The second is to make sure your identity and contact details are clearly listed in the About section of your Page. To avoid confusion, do so through the standard About field rather than posting it elsewhere on the Page, for example as a pinned post:
Let's recap what you need to know and do to comply with the joint controller rules for Facebook Page Insights:
- The GDPR applies if a data controller, a data subject, or the processing itself is in an EU country.
- When the GDPR applies, the data controller must give the data subject details of what data is processed, how and why. They must have a legal basis to process the data.
- A data controller is the person or organization that decides what data to process and how to do so. The GDPR allows for joint controllers of particular data. They share legal responsibility but can divide compliance tasks between them.
- Facebook collects data about interactions with Pages and makes this data available to Page administrators through the Page Insight program.
- Facebook's terms - which Page administrators must agree to - say that Facebook and the Page administrator are joint controllers for the Page Insight data.
- Facebook agrees to handle most of the GDPR compliance tasks relating to the Page Insight data. It requires the Page administrator to take responsibility for having a legal basis for the data's processing. In most cases this will be "legitimate interests."
- Page users can make data access requests to the Page administrator, but the Page administrator must pass this on to Facebook within seven days. Facebook will handle the request.
- The Page administrator will need to do the following in their Page's About section to comply with Facebook's rules:
- Add their full contact details