German Government Facebook Pages: Removal Urged

Germany and Facebook: A Data Protection Standoff

Germany's federal data protection commissioner is demonstrating increasing dissatisfaction with Facebook’s data handling practices.

Ulrich Kelber recently sent a communication to various government agencies, strongly advising them to deactivate their official Facebook Pages due to persistent data protection issues and the platform’s inability to resolve them.

Impending Enforcement Action

Kelber’s letter explicitly states his intention to begin enforcement measures starting in January 2022.

This effectively sets a deadline for government bodies to remove their presence from Facebook within the next year.

Consequently, the removal of official German government Facebook Pages is anticipated in the coming months.

Widespread Government Presence

While Kelber’s own agency, the BfDi, doesn't maintain a Facebook Page – though Facebook’s algorithms sometimes create placeholder pages when searched for – numerous other German federal organizations do.

For example, the Ministry of Health’s official page boasts over 760,000 followers.

The Path Forward

The only way to prevent these pages from disappearing is for Facebook to implement substantial changes to its platform operations.

These changes must allow Pages to operate within Germany in full compliance with EU law.

However, Facebook has a documented history of disregarding privacy concerns and data protection regulations.

Recent Actions Raise Concerns

Furthermore, Facebook has recently exhibited a willingness to compromise the quality of information available to users.

This has been observed when such actions align with its business objectives, as demonstrated by events in Australia concerning a media code law.

Therefore, it appears more probable that German government agencies will be compelled to withdraw from the platform.

A Duty to Lead by Example

Kelber explains that he has refrained from taking action until now, acknowledging arguments from government bodies that their Facebook Pages are vital for citizen engagement.

However, his letter emphasizes that government entities must serve as “role models” in legal compliance.

They therefore have “a specific obligation” to adhere to data protection laws, mirroring the approach taken by the EDPS in reviewing EU institutions’ use of US cloud service providers.

Facebook’s Addendum Falls Short

Kelber’s assessment indicates that the “addendum” provided by Facebook in 2019 does not adequately address the compliance problem.

He concludes that Facebook has not altered its data processing procedures to enable Page operators to meet the requirements outlined in the EU’s General Data Protection Regulation.

Joint Responsibility Under EU Law

A crucial ruling from Europe’s highest court in June 2018 is central to this issue.

The court determined that the administrator of a Facebook fan page shares responsibility with Facebook for processing the data of page visitors.

This means Page operators also face data protection obligations and cannot rely solely on Facebook’s terms and conditions for legal protection.

Lack of Transparency and Control

The core issue is Facebook’s failure to provide Page operators with sufficient information or guarantees regarding how user data is processed.

This hinders their ability to comply with GDPR principles of accountability and transparency, as they cannot adequately inform followers about data usage.

Moreover, Page operators lack the ability to disable or restrict Facebook’s broader processing of their followers’ data, even if they don’t utilize Facebook’s analytics tools.

Data Maximization and Potential Consequences

This is due to Facebook’s ‘data maximizing’ approach, designed to fuel its ad-targeting systems.

However, this strategy could prove detrimental if it leads to a significant decline in the quality of information on the network.

This could occur if a large number of key services migrate off the platform, such as all EU government agencies deleting their Facebook Pages.

Hope for Alternative Platforms

A related post on the BfDi’s website suggests the possibility of “data protection-compliant social networks” emerging in the wake of Facebook’s compliance issues.

This presents a potential competitive opportunity for alternative platforms prioritizing user rights.

Expert Commentary

Luca Tosoni, a research fellow at the University of Oslo’s Norwegian Research Center for Computers and Law, explained to TechCrunch that this development is closely linked to recent CJEU case law on joint controllership.

He specifically referenced the Wirtschaftsakademie ruling, which established that a Facebook page administrator should be considered a joint controller with Facebook regarding the processing of visitor data.

Tosoni clarified that this doesn’t equate to equal responsibility for all data processing stages.

However, it necessitates a clear agreement outlining roles and responsibilities, which, according to the German Federal Commissioner, Facebook’s current data protection ‘Addendum’ fails to provide.

He further noted that the CJEU’s Fashion ID ruling indicates that GDPR obligations for joint controllers should align with the stages of data processing where they exert control.

Consequently, the data protection obligations for a Facebook page administrator are typically limited.

Concerns Regarding Social Media Compliance

The current compliance challenge primarily impacts Facebook's operations within Germany, and potentially extends to other markets across the European Union. However, similar issues may arise for a wider range of social media services as well.

Specifically, a letter from Kelber highlights an ongoing evaluation of Instagram, TikTok, and Clubhouse, noting “shortcomings” in the data protection standards they currently provide.

Consequently, he advises governmental agencies to refrain from utilizing these three applications on official work devices.

A previous assessment conducted in 2019 by the BfDi indicated that Twitter usage could potentially align with data protection regulations. This was contingent upon full privacy setting activation and the disabling of analytics features.

At that time, the BfDi also cautioned that Instagram, being owned by Facebook, encountered comparable compliance difficulties, mirroring the same “problematic” consent practices attributed to the broader Facebook group.

When contacted for a response to Kelber’s recent recommendations, Facebook opted to provide a general statement rather than addressing the specific inquiries.

Further complicating matters for Facebook is the legal ambiguity stemming from the Court of Justice of the European Union’s (CJEU) ruling in the Schrems II case last summer.

The EU’s highest court invalidated the EU-US Privacy Shield, a mechanism allowing companies to self-certify adequate data protection levels, thereby eliminating the simplest pathway for transferring personal data of EU users to the United States. While the court did not entirely prohibit international data transfers, it stipulated that data protection authorities must intervene and halt data flows if they suspect risks to data security.

In the aftermath of Schrems II, data transfers to the US are demonstrably problematic when processed by a US company subject to FISA 702, a situation applicable to Facebook.

In fact, Facebook’s EU-to-US data transfers were the central issue in the Schrems II case, initiated by Max Schrems. A decision is still pending regarding whether Facebook’s primary EU data supervisor will enforce a preliminary order to suspend these data flows, expected in the coming months.

Prior to this anticipated ruling in Ireland, other EU DPAs are proactively taking measures, and Kelber’s letter references the Schrems II ruling as a significant concern.

Tosoni acknowledges that GDPR enforcement is gaining momentum. He also emphasized the nuanced nature of complying with the Schrems II ruling, as each data flow requires individual assessment, with various supplementary measures available to data controllers.

“This situation also demonstrates that European data protection authorities are seriously addressing the GDPR data transfer requirements as interpreted by the CJEU in Schrems II, as highlighted by the German Federal Commissioner for Data Protection and Freedom,” he stated.

“However, the German Federal Commissioner issued his letter regarding Facebook page usage shortly before the EDPB finalized its recommendations on supplementary measures for international data transfers following the CJEU Schrems II ruling. Therefore, it remains to be seen how German data protection authorities will integrate these new recommendations into their future evaluations of Facebook page GDPR compliance by German public authorities.

“These recommendations do not impose a complete ban on data transfers to the US but necessitate the implementation of robust safeguards to maintain data transfer legality.”

A recent CJEU judgment also affirmed that EU data protection agencies can, under specific circumstances, take action even when they are not the lead supervisory authority for a company under the GDPR’s one-stop-shop system. This expands the scope for litigation by watchdogs in Member States if a local agency perceives an urgent need for intervention.

However, in the context of German government bodies’ use of Facebook Pages, the earlier CJEU ruling on joint controllership already establishes clear jurisdiction for the BfDi to directly address these agencies’ Facebook Pages.

https://twitter.com/maxschrems/status/1410528986338402306