Facebook Page Insights Controller Addendum

Facebook's Page Insights Controller Addendum (an addition to the main policy) applies to anyone administering a Facebook Page within the European Economic Area (EEA). The EEA consists of the 28 EU countries plus Iceland, Liechtenstein, and Norway.

It requires that Facebook Page admins will need to display or link to particular information on their Page to comply with the law. The best way to go about this is by having a Privacy Policy containing certain information.

Note that the Policy Addendum may not apply if you're using your page for purely personal or household activity.

This article will describe Facebook's requirements, the background and legal reasons for the requirements, and how you can write a Privacy Policy that complies with the addendum.

Background on Page Insights Controller Addendum

It's worth briefly explaining the events that led Facebook to introduce this new policy. The Court of Justice of the European Union (CJEU) gave a judgment about a 2011 court case in Germany.

The case was between a German data protection authority and an education company called Wirtschaftsakademie Schleswig-Holstein ("WSH"). The data protection authority ordered WSH to take down its Facebook Page.

That's right - the highest Court of the EU got involved in a dispute about whether a company should take down its Facebook Page.

Facebook uses cookies to provide Page admins with information about the visitors on its Page via its Page Insights service. The data protection authority argued that visitors to WSH's Page should be informed about Facebook's use of cookies. The court decided that WSH shared responsibility with Facebook for this.

Privacy Law and Joint Controller Statements

The Court decided that when it comes to Insights data, Facebook Page admins are "joint controllers" with Facebook. This has some pretty significant implications.

If you're a Facebook Page admin, both you and Facebook are responsible for complying with the GDPR in relation to Facebook's Page Insights service.

Data Controllers in the GDPR

The EU's data protection laws have changed a lot since 2011. Instead of the old Data Protection Directive privacy law, which was in force at the time, we now have the GDPR. But the relevant part of the law, the definition of a "data controller," still applies.

Under Article 4 (7) of the GDPR, a data controller is a person or organization who "determines the purposes and means of the processing of personal data." This means someone who decides why and how personal data is processed.

And Article 26 of the GDPR uses the term joint controllers - "two or more controllers [who] jointly determine the purposes and means of processing." Joint controllers can decide between themselves who takes responsibility for complying with which of the various obligations under the GDPR and other privacy laws. They don't each need to comply with the whole law - so long as they have it all covered between them.

Some companies have put out statements or added sections to their Privacy Policy to explain how they process personal data "jointly."

Soho Works, for example, has written a Joint Controller Statement:

These statements will disclose who the parties are that handle personal information, and what their relationship is.

Cookies and Page Insights

Certain cookies are considered personal data under privacy law. This is because they can be used to identify individual visitors to a website.

Another EU law, known as the ePrivacy Directive, has more to say about cookies than the GDPR. It states that they should only be used "on condition that users are provided with clear and precise information [and are] made aware of information being placed on the terminal equipment they are using."

Facebook's Page Insights feature uses cookies to gives Page admins data about visitors to their Page, as it explains in its Cookie Policy:

You might see now why the EU's top court feels it's so important for visitors to Facebook Pages to be told about cookies. This isn't particularly controversial. The surprising thing about this recent decision is more about who should be telling them - not just Facebook, but the Page administrator as well.

Facebook's Joint Controller Duties

It's clear that Facebook and Facebook Page admins are considered to be joint controllers under law, and therefore both are legally responsible for informing visitors about cookies.

Joint controllers have to decide amongst themselves who will comply with which legal obligations.

Facebook's new policy is a way for it to clearly set out what Facebook will do and what you (a Page admin) must do.

You might be pleased to hear that although you are a joint controller with Facebook, Facebook takes on most of the responsibilities.

Here's an excerpt from the Policy Addendum:

"Facebook Ireland agrees to take primary responsibility under the GDPR for the processing of Insights Data and to comply with all applicable obligations under the GDPR [...]"

Facebook specifically says it will take care of the duties covered by the following GDPR Articles:

• Articles 12 and 13, which set out the information that should be provided to visitors.
• Articles 15 to 22, which cover visitors' data rights.
• Articles 32 to 34, which cover data security.

But take note that Page admins have some duties in respect to Page Insights under these articles, too.

Facebook also makes it clear that although Page admins are joint controllers, Facebook will be responsible for the processing of Page Insights data.

"Facebook Ireland remains solely responsible for the processing of personal data in connection with Page Insights other than that covered by the scope of this Page Insights Addendum."

By agreeing to the Policy Addendum, you also agree to resolve any legal issues that might arise in the courts of Ireland. Choosing a jurisdiction for legal disputes is quite common in terms and policies like this.

"[...] any claim, cause of action or dispute that you have against us, which arises out of or relates to this Page Insights Addendum, must be resolved exclusively in the courts of Ireland [...]"

Facebook Page Admin's Joint Controller Duties

You can see that Facebook tries to make things as easy as possible for Page admins so that it can continue to provide Insights with minimal disruption. It isn't able to subsume all of the duties that you share as joint controllers, though.

In its Pages, Groups and Events Policies document, Facebook requires that you provide notice and obtain user consent if your Facebook Page collects content and information from users:

The best way to comply with the legal obligations that remain with you, as a Page admin, is to have a compliant Privacy Policy.

• If you do have Privacy Policy, you need to make some changes to it.
• If you don't yet have a Privacy Policy, it's very important that you create one.

Adhering to Data Processing Principles

Article 5 of the GDPR sets out six principles that all data processing must follow. Facebook's new policy doesn't refer specifically to these principles. But as a joint controller, you're accountable to them.

The most relevant of these principles is the first one - "lawfulness, fairness and transparency." The "transparency" element of this principle is what requires you to communicate all of your data processing activities. This is why you need a Privacy Policy.

Identifying the Data Controllers

One of the first things to appear in any Privacy Policy should be the name and contact details of the data controller.

Facebook's Policy Addendum requires you to "identify the data controller for the Page."

Here's how retailer Heldburgs does this in this version of its Privacy Policy (written specifically to comply with Facebook's Policy Addendum):

Facebook also suggests that you can comply with this requirement by adding your company's information to the "About" section of your Page:

Communicating Your Legal Basis

Facebook's Policy Addendum states:

"You should ensure that you have a legal basis for the processing of Insights Data under the GDPR [...]"

Under Article 6 of the GDPR, you can only process personal data on one of six legal bases:

• Consent
• Contract
• Legal obligation
• Vital interests
• Public task
• Legitimate interests

Your legal basis for the different types of data processing you do will depend on the nature of your company. Using cookies, however, is generally only possible under the lawful basis of consent.

Here's how Moz sets out its lawful bases in its Privacy Policy:

It's most common to rely on legitimate interests as the lawful basis for using Page Insights.

Janitza has added the following section to its Privacy Policy:

As well as highlighting some of the uncertainty this decision has caused Facebook Page admins, Janitza refers to "Article 6 (1) (f) of the GDPR" as its legal basis for using Page Insights. This means that it's using Facebook Insights under legitimate interests.

If you plan to use legitimate interests as your lawful basis for using Page Insights, you will need to conduct a Legitimate Interests Assessment.

Other Requirements for Your Privacy Policy

Facebook's Policy Addendum also requires you to "comply with any other applicable legal obligations."

As joint controller, Facebook takes responsibility for complying with Articles 12 and 13 of the GDPR, which set out some of the obligations of data controllers to provide information. Therefore, it isn't necessary for your Privacy Policy to fully explain all of the data protection implications of Page Insights.

In the spirit of transparency, however, you are required to tell your users that you use Page Insights on your Facebook Page.

Here's how Alarmy does this in its Privacy Notice:

Don't forget, though - this is the information you need to provide purely in relation to your use of Facebook's Page Insights service. You need to provide a whole range of other information in relation to your company's data processing activities, including:

• How and why you are processing personal data
• Your legal basis for each type of data processing activity
• Details of your Legitimate Interests Assessment (if you're processing some data under this legal basis)
• Who you'll be sharing personal data with (including Facebook)
• Whether you'll be transferring personal data overseas

There are also additional requirements under Article 9 of the GDPR which apply if you're processing special category (sensitive) data.

Data Requests Form

The GDPR gives users a lot of control over their personal data. Users are entitled to make requests to access, rectify or erase their personal data. They can also ask for a restriction of the ways in which their data is processed, or object outright to the processing of their data. They can make these requests to any data controller involved in processing their personal data.

Because Facebook Page admins are now joint data controllers, visitors to your Page have a right to lodge such requests with you. Supervisory authorities (data protection authorities operating in each of the EU Member States) might also contact you if there is some concern about an infringement of the GDPR or a data breach.

Facebook's Policy Addendum makes it quite clear that you are not to act on these requests, and must instead allow Facebook to do so:

"If you are contacted by data subjects or a supervisory authority under the GDPR with regard to the processing of Insights Data and the obligations assumed by Facebook Ireland under this Page Insights Addendum (each a "Request"), you will forward all relevant information to us promptly but within a maximum of seven calendar days."

Remember that this is only in respect of requests or inquiries about Facebook Page Insights. Your company must have its own systems in place to deal with requests relating to any of its other data processing activities.

Where to Place Your Privacy Policy on Your Facebook Page

Facebook allows you to specifically link to your Privacy Policy on your Facebook Page. Edit your About section to see this:

Steps:

First, go to your Facebook Page dashboard and select "Edit Page Info" in the top right-hand corner.

Scroll down to the bottom of the page, then enter a link to your Privacy Policy into the box.

A link to your Privacy Policy will now appear on your Facebook Page.

Summary of Complying with Facebook's Changes

It's not all that difficult for Page admins to comply with Facebook's requirements. Just make sure that you:

• Read Facebook's Policy Addendum carefully.
• Have a GDPR-compliant Privacy Policy that contains information about:
• Your company's name and contact details
• Facebook's contact details
• Your legal basis for using Facebook Insights
• Any other information you need to comply with the GDPR
• Use Facebook's special form to make it aware of:
• Any request from your users who wish to exercise their data rights in respect of Facebook Insights;
• Any inquiry from a supervisory authority about Facebook Insights.
• Link to your Privacy Policy by utilizing your Facebook Page dashboard.