Germany's federal information commissioner has run out of patience with Facebook.
Last month, Ulrich Kelber wrote to government agencies "strongly recommend[ing]" they to close down their official Facebook Pages because of ongoing data protection compliance problems and the tech giant's failure to fix the issue.
In the letter, Kelber warns the government bodies that he intends to start taking enforcement action from January 2022 -- essentially giving them a deadline of next year to pull their pages from Facebook.
So expect not to see official Facebook Pages of German government bodies in the coming months.
While Kelber's own agency, the BfDi, does not appear to have a Facebook Page (although Facebook's algorithms appear to generate this artificial stub if you try searching for one) plenty of other German federal bodies do -- such as the Ministry of Health, whose public page has more than 760,000 followers.
The only alternative to such pages vanishing from Facebook's platform by Christmas -- or else being ordered to be taken down early next year by Kelber -- seems to be for the tech giant to make more substantial changes to how its platform operators than it has offered so far, allowing the Pages to be run in Germany in a way that complies with EU law.
However Facebook has a long history of ignoring privacy expectations and data protection laws.
It has also, very recently, shown itself more than willing to reduce the quality of information available to users -- if doing so further its business interests (such as to lobby against a media code law, as users in Australia can attest).
So it looks rather more likely that German government agencies will be the ones having to quietly bow off the platform soon...
Kelber says he's avoided taking action over the ministries' Facebook Pages until now on account of the public bodies arguing that their Facebook Pages are an important way for them to reach citizens.
However his letter points out that government bodies must be "role models" in matters of legal compliance -- and therefore have "a particular duty" to comply with data protection law. (The EDPS is taking a similar tack by reviewing EU institutions' use of US cloud services giants.)
Per his assessment, an "addendum" provided by Facebook in 2019 does not rectify the compliance problem and he concludes that Facebook has made no changes to its data processing operations to enable Page operators to comply with requirements set out in the EU's General Data Protection Regulation.
A ruling by Europe's top court, back in June 2018, is especially relevant here -- as it held that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of the data of visitors to the page.
That means that the operators of such pages also face data protection compliance obligations, and cannot simply assume that Facebook's T&Cs provide them with legal cover for the data processing the tech giant undertakes.
The problem, in a nutshell, is that Facebook does not provide Pages operates with enough information or assurances about how it processes users' data -- meaning they're unable to comply with GDPR principles of accountability and transparency because, for example, they're unable to adequately inform followers of their Facebook Page what is being done with their data.
There is also no way for Facebook Page operators to switch off (or otherwise block) wider processing of their Page followers by Facebook. Even if they don't make use of any of the analytics features Facebook provides to Page operators.
The processing still happens.
This is because Facebook operates a take-it-or-leave it 'data maximizing' model -- to feed its ad-targeting engines.
But it's an approach that could backfire if it ends up permanently reducing the quality of the information available on its network because there's a mass migration of key services off its platform. Such as, for example, every government agency in the EU deleted its Facebook Page.
A related blog post on the BfDi's website also holds out the hope that "data protection-compliant social networks" might develop in the Facebook compliance vacuum.
Certainly there could be a competitive opportunity for alternative platforms that seek to sell services based on respecting users' rights.
The German Federal Ministry of Health's verified Facebook Page (Screengrab: TechCrunch/Natasha Lomas)
Discussing the BfDis intervention, Luca Tosoni, a research fellow at the University of Oslo's Norwegian Research Center for Computers and Law, told TechCrunch: "This development is strictly connected to recent CJEU case law on joint controllership. In particular, it takes into account the Wirtschaftsakademie ruling, which found that the administrator of a Facebook page should be considered a joint controller with Facebook in respect of processing the personal data of the visitors of the page.
"This does not mean that the page administrator and Facebook share equal responsibility for all stages of the data processing activities linked to the use of the Facebook page. However, they must have an agreement in place with a clear allocation of roles and responsibilities. According to the German Federal Commissioner for Data Protection and Freedom of Information, Facebook’s current data protection 'Addendum' would not seem to be sufficient to meet the latter requirement."
"It is worth noting that, in its Fashion ID ruling, the CJEU has taken the view that the GDPR’s obligations for joint controllers are commensurate with those data processing stages in which they actually exercise control," Tosoni added. "This means that the data protection obligations a Facebook page administrator would normally tend to be quite limited."
Warnings for other social media services
This particular compliance issue affects Facebook in Germany -- and potentially any other EU market. But other social media services may face similar problems too.
For example, Kelber's letter flags an ongoing audit of Instagram, TikTok and Clubhouse -- warning of "deficits" in the level of data protection they offer too.
He goes on to recommend that agencies avoid using the three apps on business devices.
In an earlier, 2019 assessment of government bodies' use of social media services, the BfDi suggested usage of Twitter could -- by contrast -- be compliant with data protection rules. At least if privacy settings were fully enabled and analytics disabled, for example.
At the time the BfDi also warned that Facebook-owned Instagram faced similar compliance problems to Facebook, being subject to the same "abusive" approach to consent he said was taken by the whole group.
Reached for comment on Kelber's latest recommendations to government agencies, Facebook did not engage with our specific questions -- sending us this generic statement instead:
“At the end of 2019, we updated the Page Insights addendum and clarified the responsibilities of Facebook and Page administrators, for which we took questions regarding transparency of data processing into account. It is important to us that also federal agencies can use Facebook Pages to communicate with people on our platform in a privacy-compliant manner.”
An additional complication for Facebook has arisen in the wake of the legal uncertainty following last summer's Schrems II ruling by the CJEU.
Europe's top court invalidated the EU-US Privacy Shield arrangement, which had allowed companies to self-certify an adequate level of data protection, removing the easiest route for transferring EU users' personal data over to the US. And while the court did not outlaw international transfers of EU users' personal data altogether it made it clear that data protection agencies must intervene and suspend data flows if they suspect information is being moved to a place, and in in such a way, that it's put at risk.
Following Schrems II, transfers to the US are clearly problematic where the data is being processed by a US company that's subject to FISA 702, as is the case with Facebook.
Indeed, Facebook's EU-to-US data transfers were the original target of the complainant in the Schrems II case (by the eponymous Max Schrems). And a decision remains pending on whether the tech giant's lead EU data supervisor will follow through on a preliminary order last year to it should suspend its EU data flows -- due in the coming months.
Even ahead of that long-anticipated reckoning in Ireland, other EU DPAs are now stepping in to take action -- and Kelber's letter references the Schrems II ruling as another issue of concern.
Tosoni agrees that GDPR enforcement is finally stepping up a gear. But he also suggested that compliance with the Schrems II ruling comes with plenty of nuance, given that each data flow must be assessed on a case by case basis -- with a range of supplementary measures that controllers may be able to apply.
"This development also shows that European data protection authorities are getting serious about enforcing the GDPR data transfer requirements as interpreted by the CJEU in Schrems II, as the German Federal Commissioner for Data Protection and Freedom flagged this as another pain point," he said.
"However, the German Federal Commissioner sent out his letter on the use of Facebook pages a few days before the EDPB adopted the final version its recommendations on supplementary measures for international data transfers following the CJEU Schrems II ruling. Therefore, it remains to be seen how German data protection authorities will take these new recommendations into account in the context of their future assessment of the GDPR compliance of the use of Facebook pages by German public authorities.
"Such recommendations do not establish a blanket ban on data transfers to the US but impose the adoption of stringent safeguards, which will need to be followed to keep on transferring the data of German visitors of Facebook pages to the US."
Another recent judgment by the CJEU reaffirmed that EU data protection agencies can, in certain circumstances, take action when they are not the lead data supervisor for a specific company under the GDPR’s one-stop-shop mechanism -- expanding the possibility for litigation by watchdogs in Member States if a local agency believes there's an urgent need to act.
Although, in the case of the German government bodies' use of Facebook Pages, the earlier CJEU ruling finding on joint law controllership means the BfDi already has clear jurisdiction to target these agencies' Facebook Pages itself.