Privacy statement and accountability for corporate sites on Facebook & Co – Data protection authority deletes Twitter account
The data protection scandals surrounding Facebook, Cambridge Analytica, Google and Amazon, as well as the introduction of the basic data protection regulation (DSGVO) on 25 May 2018, give rise to considerable doubts about the security of our personal data. But the uncertainty of companies is also growing. There is a growing fear in the industry of being warned with costs.
Rightly so, because even ignorance does not protect against punishment.
Compliance with data protection regulations is one of the most important obligations of companies in legal transactions, especially online. Violations can lead to warnings by competitors or by the data protection authorities. The data protection authorities may impose heavy fines.
Authorities withdraw from social media
Not only for companies, but also for private users and even for public authorities, the topic of data protection is still as topical as it is dangerous:
The State Commissioner for Data Protection and Freedom of Information in Baden-Württemberg, Stefan Brink, recently announced that he will delete the Twitter presence of his authority as of 31 January 2020.
The background is provided by two fundamental rulings of the European Court of Justice (ruling of 5 June 2018, file number C-210/16) and the Federal Administrative Court (ruling of 11 September 2019, file number 6 C 15.18). In doing so, the Federal Administrative Court has followed the case law of the European Court of Justice, according to which, according to the current legal situation, users should be jointly responsible for data processing in social networks. In addition to measures against the operators of social networks, measures against users of these networks are now also permissible, provided that the competent authorities have “no other means of creating conditions that are consistent with data protection”.
In the future, private users in social networks will also be liable as data processors
The case before the ECJ concerned the question of whether the State Centre for Data Protection in Schleswig-Holstein of the Schleswig-Holstein Academy of Economics was entitled to prohibit the Academy’s Facebook presence. Facebook evaluated the usage data of the visitors of the Facebook page, but did not clarify the nature, extent and means of data processing or the visitors’ right to object.
The Wirtschaftsakademie Schleswig-Holstein as operator of Facebook-Page had no influence on the creation and use of user data by and on Facebook. Nevertheless, the ECJ decided that operators of social media pages are responsible and therefore liable for compliance with data protection regulations together with the service provider (here: Facebook).
In the case to be decided by the Federal Administrative Court, the data protection authority had taken action against the operator of a Facebook fan page because of an evaluation of visitor usage data by Facebook that remained unknown to him and ordered the deactivation of the fan page. Rightly so, as the Federal Administrative Court decided. Because “against the background of the lack of willingness to cooperate [and] the unclear internal structures” of the Facebook group of companies, data protection authorities should be able to address users first for reasons of effectiveness.
In plain language: if networks such as Instagram, Facebook or Twitter violate data protection laws, the supervisory authorities can impose measures and fines not only on network operators but also on the operators of fan pages on these networks, even if they had no knowledge of the data processing carried out.
Went along, hung along
This would seem to be a blueprint for the development of data protection: Companies such as public authorities and even simple users can no longer shift their data responsibility onto platform operators. In the future, it will no longer be possible to exclude the possibility of issuing warnings, for which a fee will be charged, to operators of fan pages and company profiles on Facebook or other social networks for violations of data protection laws by platform operators.
Twitter and Facebook ban for authorities
These highly regarded judgments show that even proven experts are not immune from the potential dangers of breaches of data protection law.
Similar to the Schleswig-Holstein Data Protection Commissioner, the Bavarian State Commissioner for Data Protection, Tomas Petri, and the State Data Protection Commissioner of North Rhine-Westphalia, Helga Block, have previously expressed their views and made the recommendation that the Bavarian and North Rhine-Westphalian authorities should critically review their public relations work in social media and, if necessary, delete their appearances.
WhatsApp is also affected
The same may be true for WhatsApp and competitors such as Telegram: Data protectionists have long warned against the official use of these popular messengers because they automatically access the user’s address books without informing the user or the contacts.
A new wave of warnings looms
The judgements are beginning to have an impact. A new wave of warnings is rolling towards companies. Professional warning law firms whose business model consists of exploiting minor infringements are likely to be rubbing their hands in disgust. Not only the circle of those liable to fines, but also the circle of those entitled to issue warnings has been considerably expanded.
Even for private blogs and websites serving solely to provide information or express opinions, comprehensive imprint and data protection declaration obligations apply, the – also unintentional – non-observance of which can be expensive.
But Facebook itself also remains a source of danger for users. As early as 5 September 2018, the Conference of Independent Data Protection Supervisors of the Federal and State Governments (DSK) decided that it was illegal to operate a Facebook fan page without concluding an agreement as to which of the parties jointly responsible bears which responsibility for user data.
The compliance with these legal requirements has been made more difficult by the fact that Facebook did not provide for the possibility of integrating a data protection declaration or a corresponding responsibility agreement on its fan pages in compliance with the DSGVO. The company is only offering a corresponding agreement as a result of the ECJ ruling. However, this does not eliminate the dangers.
How can I protect myself against fines?
Operators of websites, blogs, Facebook customizations as well as users of social media now have to weigh up the risks. This includes the following questions:
- Do I use a platform or a service of another company on which data of my customers, guests or visitors are collected or processed?
- Does the third party provider offer the possibility of an agreement on who is responsible for the data processing?
- Can I use my fan page or my company profile to inform my visitors about how I and the third party provider handle visitor data?
- What data processing is carried out by the third party and by me and what do I have to tell the visitor about it?
As a result, it must be assessed whether one can meet the strict data protection requirements and information obligations and what the probability is that one will be held liable if these requirements and obligations cannot be met.
Operators of websites and Facebook-Fanpages or entrepreneur profiles are according to Art. 12 ff. DSGVO, operators of websites and Facebook adaptations or company profiles are obliged to maintain a transparent and complete data protection declaration on what type of data is stored, to what extent and for what purpose, on what legal basis this data processing is based, and who is the recipient of this data. The user should be informed as transparently as possible. Not only missing but also incomplete data protection declarations lead to a warning with costs.
Do privacy statement generators make sense?
Basically, data protection declaration generators on the Internet offer a good initial orientation as to which information data protection declarations must contain.
Nevertheless, in individual cases it may be disputed which information must be included in the data protection declaration. Generators also do not take into account where and how the privacy statement must be included. Ultimately, the result of generators also always depends on the data entered. It is therefore necessary that the person entering the data correctly assesses what information is entered where. Laypersons often do not trust themselves to make this assessment, so it can be useful to get professional support in creating data protection declarations.
In addition, for a legally compliant integration of a data protection declaration in telephone calls or in print media, a media break may be necessary, for example because a complete data protection declaration cannot be transmitted in every contact. It is difficult for a generator to provide information about the best procedure in such cases.
Data protection as a curse and blessing
However, data protection should not be seen as a curse but as a blessing: The success of a data processing company depends to a large extent on the trust placed in it by its customers. Early and comprehensive information about the type and scope of data processing and the rights of customers can be a confidence-building measure. From the customer’s point of view, this requires early, transparent and legally compliant information about which data is collected and transmitted for which purposes.
Only individually created data protection declarations offer security
Reality shows: Data protection law and the interweaving with other legal requirements are complex, even for entrepreneurs. Generators serve rather for information purposes and cannot replace sound legal advice. In order not to expose yourself to the risk of an expensive warning, it is advisable to have a lawyer prepare a legally compliant data protection declaration. Only in this way can interdisciplinary and cross-legal problems be addressed and possible sources of danger be eliminated at an early stage.
We would be pleased to advise you on this. Talk to us!