Germany’s federal data commissioner has run out of persistence with Facebook.
Last month, Ulrich Kelber wrote to authorities companies “strongly recommend[ing]” they to shut down their official Facebook Pages due to ongoing information safety compliance issues and the tech big’s failure to repair the problem.
In the letter, Kelber warns the federal government our bodies that he intends to begin taking enforcement motion from January 2022 — basically giving them a deadline of subsequent 12 months to tug their pages from Facebook.
So count on to not see official Facebook Pages of German authorities our bodies within the coming months.
While Kelber’s personal company, the BfDi, doesn’t seem to have a Facebook Page (though Facebook’s algorithms seem to generate this synthetic stub if you happen to attempt trying to find one) loads of different German federal our bodies do — such because the Ministry of Health, whose public web page has greater than 760,000 followers.
The solely different to such pages vanishing from Facebook’s platform by Christmas — or else being ordered to be taken down early subsequent 12 months by Kelber — appears to be for the tech big to make extra substantial modifications to how its platform operators than it has provided to this point, permitting the Pages to be run in Germany in a approach that complies with EU regulation.
However Facebook has a protracted historical past of ignoring privateness expectations and information safety legal guidelines.
It has additionally, very not too long ago, proven itself greater than keen to cut back the standard of data obtainable to customers — if doing so additional its enterprise pursuits (corresponding to to foyer towards a media code regulation, as customers in Australia can attest).
So it appears slightly extra possible that German authorities companies would be the ones having to quietly bow off the platform quickly…
Kelber says he’s averted taking motion over the ministries’ Facebook Pages till now on account of the general public our bodies arguing that their Facebook Pages are an vital approach for them to succeed in residents.
However his letter factors out that authorities our bodies have to be “role models” in issues of authorized compliance — and subsequently have “a particular duty” to adjust to information safety regulation. (The EDPS is taking an identical tack by reviewing EU establishments’ use of US cloud providers giants.)
Per his evaluation, an “addendum” supplied by Facebook in 2019 doesn’t rectify the compliance drawback and he concludes that Facebook has made no modifications to its information processing operations to allow Page operators to adjust to necessities set out within the EU’s General Data Protection Regulation.
A ruling by Europe’s prime court docket, again in June 2018, is very related right here — because it held that the administrator of a fan web page on Facebook is collectively accountable with Facebook for the processing of the information of holiday makers to the web page.
That signifies that the operators of such pages additionally face information safety compliance obligations, and can’t merely assume that Facebook’s T&Cs present them with authorized cowl for the information processing the tech big undertakes.
The drawback, in a nutshell, is that Facebook doesn’t present Pages operates with sufficient data or assurances about the way it processes customers’ information — which means they’re unable to adjust to GDPR ideas of accountability and transparency as a result of, for instance, they’re unable to adequately inform followers of their Facebook Page what’s being executed with their information.
There can be no approach for Facebook Page operators to modify off (or in any other case block) wider processing of their Page followers by Facebook. Even in the event that they don’t make use of any of the analytics options Facebook gives to Page operators.
The processing nonetheless occurs.
This is as a result of Facebook operates a take-it-or-leave it ‘data maximizing’ mannequin — to feed its ad-targeting engines.
But it’s an strategy that would backfire if it finally ends up completely decreasing the standard of the data obtainable on its community as a result of there’s a mass migration of key providers off its platform. Such as, for instance, each authorities company within the EU deleted its Facebook Page.
A associated weblog publish on the BfDi’s web site additionally holds out the hope that “data protection-compliant social networks” would possibly develop within the Facebook compliance vacuum.
Certainly there may very well be a aggressive alternative for different platforms that search to promote providers based mostly on respecting customers’ rights.
The German Federal Ministry of Health’s verified Facebook Page (Screengrab: TechSwitch/Natasha Lomas)
Discussing the BfDis intervention, Luca Tosoni, a analysis fellow on the University of Oslo’s Norwegian Research Center for Computers and Law, advised TechSwitch: “This improvement is strictly linked to current CJEU case regulation on joint controllership. In explicit, it takes into consideration the Wirtschaftsakademie ruling, which discovered that the administrator of a Facebook web page must be thought-about a joint controller with Facebook in respect of processing the private information of the guests of the web page.
“This does not mean that the page administrator and Facebook share equal responsibility for all stages of the data processing activities linked to the use of the Facebook page. However, they must have an agreement in place with a clear allocation of roles and responsibilities. According to the German Federal Commissioner for Data Protection and Freedom of Information, Facebook’s current data protection ‘Addendum’ would not seem to be sufficient to meet the latter requirement.”
“It is worth noting that, in its Fashion ID ruling, the CJEU has taken the view that the GDPR’s obligations for joint controllers are commensurate with those data processing stages in which they actually exercise control,” Tosoni added. “This means that the data protection obligations a Facebook page administrator would normally tend to be quite limited.”
Warnings for different social media providers
This explicit compliance problem impacts Facebook in Germany — and doubtlessly every other EU market. But different social media providers could face comparable issues too.
For instance, Kelber’s letter flags an ongoing audit of Instagram, TikTok and Clubhouse — warning of “deficits” within the degree of knowledge safety they provide too.
He goes on to advocate that companies keep away from utilizing the three apps on enterprise gadgets.
In an earlier, 2019 evaluation of presidency our bodies’ use of social media providers, the BfDi prompt utilization of Twitter may — against this — be compliant with information safety guidelines. At least if privateness settings have been absolutely enabled and analytics disabled, for instance.
At the time the BfDi additionally warned that Facebook-owned Instagram confronted comparable compliance issues to Facebook, being topic to the identical “abusive” strategy to consent he stated was taken by the entire group.
Reached for touch upon Kelber’s newest suggestions to authorities companies, Facebook didn’t interact with our particular questions — sending us this generic assertion as a substitute:
“At the end of 2019, we updated the Page Insights addendum and clarified the responsibilities of Facebook and Page administrators, for which we took questions regarding transparency of data processing into account. It is important to us that also federal agencies can use Facebook Pages to communicate with people on our platform in a privacy-compliant manner.”
An extra complication for Facebook has arisen within the wake of the authorized uncertainty following final summer time’s Schrems II ruling by the CJEU.
Europe’s prime court docket invalidated the EU-US Privacy Shield association, which had allowed corporations to self-certify an sufficient degree of knowledge safety, eradicating the best route for transferring EU customers’ private information over to the US. And whereas the court docket didn’t outlaw worldwide transfers of EU customers’ private information altogether it made it clear that information safety companies should intervene and droop information flows if they think data is being moved to a spot, and in in such a approach, that it’s put in danger.
Following Schrems II, transfers to the US are clearly problematic the place the information is being processed by a US firm that’s topic to FISA 702, as is the case with Facebook.
Indeed, Facebook’s EU-to-US information transfers have been the unique goal of the complainant within the Schrems II case (by the eponymous Max Schrems). And a call stays pending on whether or not the tech big’s lead EU information supervisor will comply with by means of on a preliminary order final 12 months to it ought to droop its EU information flows — due within the coming months.
Even forward of that long-anticipated reckoning in Ireland, different EU DPAs at the moment are stepping in to take motion — and Kelber’s letter references the Schrems II ruling as one other problem of concern.
Tosoni agrees that GDPR enforcement is lastly stepping up a gear. But he additionally prompt that compliance with the Schrems II ruling comes with loads of nuance, given that every information move have to be assessed on a case by case foundation — with a spread of supplementary measures that controllers could possibly apply.
“This development also shows that European data protection authorities are getting serious about enforcing the GDPR data transfer requirements as interpreted by the CJEU in Schrems II, as the German Federal Commissioner for Data Protection and Freedom flagged this as another pain point,” he stated.
“However, the German Federal Commissioner despatched out his letter on using Facebook pages a couple of days earlier than the EDPB adopted the ultimate model its suggestions on supplementary measures for worldwide information transfers following the CJEU Schrems II ruling. Therefore, it stays to be seen how German information safety authorities will take these new suggestions into consideration within the context of their future evaluation of the GDPR compliance of using Facebook pages by German public authorities.
“Such recommendations do not establish a blanket ban on data transfers to the US but impose the adoption of stringent safeguards, which will need to be followed to keep on transferring the data of German visitors of Facebook pages to the US.”
Another current judgment by the CJEU reaffirmed that EU information safety companies can, in sure circumstances, take motion when they don’t seem to be the lead information supervisor for a particular firm below the GDPR’s one-stop-shop mechanism — increasing the chance for litigation by watchdogs in Member States if a neighborhood company believes there’s an pressing have to act.
Although, within the case of the German authorities our bodies’ use of Facebook Pages, the sooner CJEU ruling discovering on joint regulation controllership means the BfDi already has clear jurisdiction to focus on these companies’ Facebook Pages itself.
It is time to only implement the #GDPR and never “negociate” compliance whit elementary rights. They will rapidly adapt as soon as they must.
Good that the German DPA plans to beat “talk & ignore”, which continues to be the dominant tradition in EU privateness regulation. 🙄https://t.co/BmlXRXETOG
— Max Schrems 🇪🇺 (@maxschrems) July 1, 2021