Germany: Ban on Facebook fan page permitted

The starting point
The courts have been dealing with the dispute between the Wirtschaftsakademie Schleswig-Holstein (Business Academy Schleswig-Holstein) and the Unabhängiger Landeszentrum für Datenschutz (ULD [Independent National Centre for Data Protection]) for more than eight years now. Originally, the ULD had prohibited the Academy from continuing the “fan page” presence it maintained on Facebook. On the one hand, the lack of information on data processing and the rights of data subjects and, on the other, the ineffectiveness of objections by users were criticised. The Business Academy initially successfully defended itself against this before the Higher Administrative Court (OVG). In June 2018, the European Court of Justice ruled that the operator of a Facebook fan page was jointly responsible for the data processing operations carried out there, following a submission by the Federal Administrative Court (Bundesverwaltungsgericht - BVerwG). After all, it is the operator who makes data processing by Facebook possible in the first place by means of the fan page it maintains.

The decision of the BVerwG
The German Federal Administrative Court thereupon recently reversed the appeal decision. The ULD was not obliged to take action against any of Facebook’s subsidiaries because this would have entailed considerable actual and legal uncertainty due to the lack of willingness to cooperate. If the data processing operations on the Academy’s fan page were to be classified as unlawful, the order to deactivate them was, in the view of the BVerwG, also a proportionate means. The Business Academy would not have any other options for the creation of data protection-compliant conditions.

However, the proceedings have not yet been completed. The Federal Administrative Court referred the matter back to the Higher Administrative Court of Schleswig-Holstein in order to clarify the question of the illegality of data processing. In this respect, it will be interesting to see whether it will be possible to reveal the data processing procedures conducted by Facebook in more detail.

Consequences in practice
Almost every company has not only a homepage, but also a Facebook page. However, a legally safe operation of a Facebook fan page is hardly possible from a data protection point of view and according to current knowledge - the data processing of Facebook is too opaque.

In addition, the principles established by this ruling - as well as the pioneering ruling of the European Court of Justice on joint liability - also apply in principle to other social media companies.

If the operators of a Facebook fan page do not want to take any risks, the only option is to deactivate the social media page. If this is not desired from an entrepreneurial point of view and the associated risk is accepted, at least as much information as possible about the data processing processes should be provided. A separate privacy policy should be implemented on each page.

Author: Sarah C. Schlösser