All parties processing personal data have a duty to ensure compliance with the General Data Protection Regulation (GDPR). The obligations imposed by the Regulation apply when an organization uses social media, e.g. a Page on Facebook.
In making sure the privacy of users registered in a solution is protected, a Data Protection Impact Assessment (DPIA) is an important tool. It is this tool we have now used in the assessment of Facebook, and which has resulted in a report.
Will not use Facebook in own communication work
- The starting point for our assessment was the use of Facebook in our communication activities, and the goal was to establish a Facebook Page. The report’s original and primary purpose was to enable us to make an informed decision. However, we believe that this assessment would also be of great interest to many other businesses, says Director-General of the Data Protection Authority, Bjørn Erik Thon.
Our conclusion was that the Data Protection Authority should not use Facebook in its communication activities. We believe the risks to the users’ rights and freedoms associated with the processing of personal data through a Page on Facebook are too high. We also found that the Data Protection Authority would not be sufficiently compliant with Article 26 on joint controllership, as we find the standard arrangement between Facebook and us to be inadequate.
- We believe that those who had visited our Facebook Page would have an expectation that we have control of what happens if, for example, they click “like” on our Page, or what kind of information was registered just by visiting our Page. We simply cannot answer that, says Thon.
- As far as we know, we are the only organization to carry out a thorough assessment of Facebook Pages based on the obligations of the GDPR. The assessment has been challenging and comprehensive, and it led to a wide range of difficult considerations involving technology, law and ethics. We believe many organizations would benefit from having a DPIA case study, says Bjørn Erik Thon, which emphasizes that the assessments only apply to the Data Protection Authority’s own use of Facebook. It should be noted that the Data Protection Authority, in this context, does not comment on the general legality of organizations using Facebook Pages or social media in general in their communication activities.
The Data Protection Authority’s role in this assessment is neither that of a supervisory authority nor that of an ombudsman, but rather that of a data controller, with the obligations that follow from this role under the GDPR. We have based the assessment on the Data Protection Authority’s own guidelines and checklist for risk assessments and Data Protection Impact Assessments (in Norwegian).
The Norwegian Data Protection Authority has not involved Facebook in the risk assessment. This is because we would not risk mixing our roles as supervisors and data controllers. The risk assessment is thus based on the same source basis and the same terms as for all other companies that use or are considering to create a page on the platform.
Special responsibility for public agencies
- Our approach is just one way of going about this. All assessments and contributions in this area are welcome, and the relevant legislation allows for considerable flexibility in terms of method, execution and resources. We want to build a discourse on the use of social media by public authorities, says Bjørn Erik Thon.
By using the most popular tools available, free of charge, from the large technology companies, public agencies invite commercial actors to collect and use data about Norwegian citizens. At the same time, a relationship of dependency is created which it can be difficult to break free from as there are few alternative service providers.
Norwegian DPA choose not to use Facebook (English, PDF)
This report is an abridged version of the Norwegian report. Below is a brief summary of the assessment.
First, the report gives a systematic description of the data processing associated with having a Page on Facebook. The objective is for us, as the data controller, to gain a comprehensive overview of the processing and to ensure that the descriptions are as complete and as clear as possible. These descriptions include the nature, scope, purpose, context, sources and recipients of the processing, as well as an assessment of the information security of the solution.
- We believe the risks to the data subjects’ rights and freedoms associated with the processing of personal data through a Page on Facebook are too high. As a Page owner, we would not be able to implement measures to satisfactorily mitigate these risks, says Anders Ballangrud. He is a communication adviser with the Data Protection Authority, and he was the head of the internal assessment.
The working party also tried to clarify legal liability. Roles and liabilities in social media have been addressed in rulings made by the European Court of Justice (ECJ). Two rulings in particular, Wirtschaftsakademie and Fashion ID, establish that interaction between social media and other parties may constitute joint controllership pursuant to Article 26 of the General Data Protection Regulation.
- Our assessment is that the Data Protection Authority would not be in compliance with Article 26 on joint controllership. We believe that the Data Protection Authority’s joint controller arrangement with Facebook is unsatisfactory. Also, it will not be possible for the Data Protection Authority to establish a separate arrangement with Facebook, Ballangrud says.
Necessity and proportionality
The working party then assesses the necessity and proportionality of the data processing. The objective is to ensure that the choices we make in our capacity as data controller are legitimate and performed in such a way that the processing is proportionate to the purpose. We assess whether data protection principles (Articles 5, 6 and 9), the rights of data subjects (Article 12 - 22), and the freedoms of the data subjects (Preamble  and Article 8 of the ECHR) are protected.
- Despite the fact that we, as a Page owner, would have the intention of protecting the legal basis, privacy principles and the rights and freedoms of data subjects, we would be at the mercy of Facebook and its terms and conditions by creating and using a page on the platform. We do, however, present some measures that may mitigate some data protection risks for the individual user in the report, says Ballangrud.
Data protection by design and by default are key principles in data protection legislation. These principles should also be included in arrangements with providers.
- As a data controller, we do not find that Facebook has provided adequate guarantees that this tool or platform has data protection by design and by default, says Ballangrud.
The perspective of the data subject
Based on our mapping in the systematic description, and our assessments of necessity and proportionality, we concluded that the risks to the data subject’s rights and freedoms were high. That is why we carried out a data protection impact assessments pursuant to Article 35 of the GDPR.
- This is a process where we flip the perspective and look at the processing from the data subject’s point of view. We maintain our focus on data protection, but also take into consideration co-determination, transparency and predictability of the processing from the Facebook user’s perspective. We do this to determine whether the processing still can be performed in a manner that is acceptable and builds trust vis-à-vis those whose personal data we process, says Ballangrud.
The working party also consulted with the Data Protection Authority’s data protection officer, in accordance with Article 35 (2) of the GDPR.
The working party presented its assessments to management in accordance with the Regulation’s accountability principle. Based on the report, which includes the working party’s and the data protection officer’s recommendations, the Data Protection Authority decided not to create and communicate through a Page on Facebook.