Germany’s data protection commissioner (DPC) has been one of the toughest in the EU on Big Tech, and apparently no longer has faith in Facebook to properly secure government pages. German government organizations have been told that they should shut down their official Facebook Pages by January 2022 or face potential enforcement action under data privacy laws.
DPC Ulrich Kelber is not mandating that the organizations close their pages, but is “strongly recommending” it due to repeated compliance problems with Facebook. Flaws in the Facebook Pages that go unaddressed by the social media giant could land the country’s agencies in hot water as of 2022 as they are held responsible for any mishandling of personal information that passes through the page.
Data protection commissioner fed up with Facebook
Not all German government agencies maintain Facebook Pages, but those that do can have hundreds of thousands of followers and regular interactions. The country’s main page has nearly a million followers. If Facebook does not address the compliance issues raised in Germany by the end of 2021, these pages will likely be going offline.
The data protection commissioner says that he has considered this action for some time but has held off due to agencies reporting that German citizens find the Facebook Pages useful. However, he believes that government agencies cannot hold themselves as exceptions to personal data protection laws and must lead by example.
The issue dates back to a June 2018 ruling by Europe’s highest court (the CJEU) that administrators of “fan pages” made with big tech pages share responsibility for the platform’s processing of personal data; they are a “joint data controller” in the eyes of the law. It also involves a case brought by the data protection commissioner’s agency (the Bundeskartellamt) that began in 2016 and culminated with an early 2019 ruling against Facebook. Facebook was found in violation of the GDPR for combining information from its main site with personal data taken from its subsidiary sites (such as Instagram) without obtaining permission from the end user. The data protection commissioner says that Facebook never fully rectified this issue.
In this case, page operators cannot really ensure compliance with the law because they have relatively little insight into or control over how Facebook collects and processes this data throughout its sprawling, internet-spanning targeted advertising network. The page owner is held to a lower standard than Facebook is under the law, but even with that the tools at hand are not adequate to ensure compliance. Given that Facebook is unlikely to make concessions to the German government over what it no doubt considers a relatively minor loss of business, the country’s organizations are left with no real choice but to abandon their Facebook Pages.
Facebook Pages may not be the end of data protection commissioner’s actions
At the moment, the data protection commissioner is only asking the country’s organizations to stop using Facebook Pages. But the memorandum notes that there are ongoing probes into Instagram, TikTok and Clubhouse, and recommends that agencies not use these apps on business devices either.
One of the central issues for any of these apps is an inability to prevent data from being passed to the United States, something that is now a violation of the General Data Protection Regulation (GDPR). The US was judged to be an “inadequate” third country for data transmission purposes last year as a result of the Schrems II case, something that Facebook was also a central part of. The case established that US law allows for the government to seize the data of foreign citizens in a way that violates the GDPR; cross-Atlantic data transfer partners now have to enter into special contracts that ensure the data is protected once inside of US borders via encryption or depersonalization. The German data protection commissioner asked Facebook for additional guarantees that it would comply with the GDPR in this way, a request that it did not respond to.
Facebook has had several run-ins with data privacy and anticompetition laws in Germany, all of which may have contributed to the decision to put an end to government use of Facebook Pages. In mid-2019, Facebook was fined the equivalent of $2.3 million for under-reporting complaints about illegal content and hate speech on its platform (something required by transparency laws). The company was also recently hit by its first EU antitrust probe, which relates to the case brought by the German data protection commissioner in 2016; the European Commission is looking into whether Facebook’s use of data from its multiple services violates antitrust regulations when it is used to bolster its own competing services (for example, using information captured from its digital advertising service as a competitive advantage in Facebook Marketplace).