€20M Fine for Advertising on Facebook? Let’s Hope Not

Another sector (apart from banking) which may have difficulty with GDPR is digital media, including Facebook and Google.

Recently a senior EU judge, A. G. Bot, has  shockingly determined that a company called Wirtshaftsakademie Schleswig-Holstein GmbH, which was using the cookie-based facility ‘Facebook Insights’ to target ads, was a data controller, i.e. a joint controller with Facebook, (by the definition of Directive 95/46/EC of EU law) even though the company did not process the personal data that Facebook was using, nor indeed did it even have access to it.  According to Judge Bot, it was sufficient that the company knew what Facebook would do when it set up its fan page. The problem was that it did not warn users of its page that data was being gathered (and presumably that it did not ask for consent).

If this judgement stands, it may mean that, under GDPR, any advertiser on Facebook, or indeed and advertiser on Google, may be held responsible for misuse of any web user’s personal data that is handled by these giants.

Essentially Judge Bot’s reasoning was as follows:

  1. A business may choose to put tracking code on their own website that places cookies on the machine of a visitor to the site. These cookies can then be used to target that user with ads benefiting the business owner.
  2. This is equivalent to what happens when a business sets up a fan page on Facebook and Facebook tracking code places “Facebook Insights” cookies on the machine of a visitor to that page that can then be used to target that user with ads benefitting the business owner.
  3. The business is clearly a controller of personal data in Case 1) and therefore is also a controller of personal data in Case 2).  The fact that a third party provider, with its own non-negotiable methods for collecting data, is used is immaterial.
  4. Bot clarifies his reasoning by stating that the creation of the fan page is what makes the processing of the personal data possible. Removing the fan page would remove the possibility of processing that particular Facebook personal data.
  5. Bot strengthens his case by claiming that, by changing the filter settings within Facebook insights, the business can even more precisely control what personal data is recorded when someone visits the fan page.

It should be stated, as a caveat, that filters affect the viewing of data, not how it is collected, so argument 5) is invalid. However, the fundamental argument still holds and this opens a can of worms for advertisers on both Facebook and even Google AdWords (including YouTube). Potentially it goes beyond even that to any situation where a client is using a supplier’s services and the supplier provides those services by using personal data controlled and processed by themselves. An example would be a market research company running a focus group for a client. Furthermore, Facebook personal data processing goes beyond the simple and contained scenario envisaged in 2) and 4). Activity by users of the fan page maybe used to profile those users and those profiles may, in turn, be used to target ads of other advertisers. Therefore potentially the fan page owner and the advertisers are both separately complicit in the processing of that data.

What the the business clients of Facebook and Google would be entering into is a horrible joint-controller situation. They can’t totally control how the data is processed, since Facebook and Google are not merely processors purely acting only on specific instruction, but the client has some measure of control and complicity – even through the mere fact that they have commissioned services from the supplier – and therefore under GDPR they are potentially liable for all the faults of the supplier in handling personal data relating to the services provided to them.

This is inequitable and should be addressed by the EU law-makers. Whether it will be is another matter.

Facebook and Google seem to be working hard to prepare for GDPR and indeed Facebook does now put a pop-up cookie warning on pages when they are visited by non-Facebook users (Facebook users are supposedly covered under the Facebook user agreement) but one feels that almost inevitably there will be holes in their process. Will advertisers be caught in the crossfire?

Maybe the best that they can hope for is that, since all of them are in the same boat, for one alone to be picked on is unlikely.

But tell that to Wirtschaftsakademie.

Disclaimer: This article is for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. It reflects the views and opinions of its author and not of the company as a whole.