Facebook's Page Insights Controller Addendum (an addition to the main policy) applies to anyone administering a Facebook Page within the European Economic Area (EEA). The EEA consists of the 28 EU countries plus Iceland, Liechtenstein, and Norway.
Note that the Policy Addendum may not apply if you're using your page for purely personal or household activity.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. Background on Page Insights Controller Addendum
- 2. Privacy Law and Joint Controller Statements
- 2.1. Data Controllers in the GDPR
- 2.2. Cookies and Page Insights
- 3. Facebook's Joint Controller Duties
- 4. Facebook Page Admin's Joint Controller Duties
- 4.1. Adhering to Data Processing Principles
- 4.2. Identifying the Data Controllers
- 4.3. Communicating Your Legal Basis
- 4.5. Data Requests Form
- 6. Summary of Complying with Facebook's Changes
Background on Page Insights Controller Addendum
It's worth briefly explaining the events that led Facebook to introduce this new policy. The Court of Justice of the European Union (CJEU) gave a judgment about a 2011 court case in Germany.
The case was between a German data protection authority and an education company called Wirtschaftsakademie Schleswig-Holstein ("WSH"). The data protection authority ordered WSH to take down its Facebook Page.
That's right - the highest Court of the EU got involved in a dispute about whether a company should take down its Facebook Page.
Privacy Law and Joint Controller Statements
The Court decided that when it comes to Insights data, Facebook Page admins are "joint controllers" with Facebook. This has some pretty significant implications.
If you're a Facebook Page admin, both you and Facebook are responsible for complying with the GDPR in relation to Facebook's Page Insights service.
Data Controllers in the GDPR
The EU's data protection laws have changed a lot since 2011. Instead of the old Data Protection Directive privacy law, which was in force at the time, we now have the GDPR. But the relevant part of the law, the definition of a "data controller," still applies.
Under Article 4 (7) of the GDPR, a data controller is a person or organization who "determines the purposes and means of the processing of personal data." This means someone who decides why and how personal data is processed.
And Article 26 of the GDPR uses the term joint controllers - "two or more controllers [who] jointly determine the purposes and means of processing." Joint controllers can decide between themselves who takes responsibility for complying with which of the various obligations under the GDPR and other privacy laws. They don't each need to comply with the whole law - so long as they have it all covered between them.
Soho Works, for example, has written a Joint Controller Statement:
These statements will disclose who the parties are that handle personal information, and what their relationship is.
Cookies and Page Insights
Certain cookies are considered personal data under privacy law. This is because they can be used to identify individual visitors to a website.
Another EU law, known as the ePrivacy Directive, has more to say about cookies than the GDPR. It states that they should only be used "on condition that users are provided with clear and precise information [and are] made aware of information being placed on the terminal equipment they are using."
You might see now why the EU's top court feels it's so important for visitors to Facebook Pages to be told about cookies. This isn't particularly controversial. The surprising thing about this recent decision is more about who should be telling them - not just Facebook, but the Page administrator as well.
Facebook's Joint Controller Duties
It's clear that Facebook and Facebook Page admins are considered to be joint controllers under law, and therefore both are legally responsible for informing visitors about cookies.
Joint controllers have to decide amongst themselves who will comply with which legal obligations.
Facebook's new policy is a way for it to clearly set out what Facebook will do and what you (a Page admin) must do.
You might be pleased to hear that although you are a joint controller with Facebook, Facebook takes on most of the responsibilities.
Here's an excerpt from the Policy Addendum:
"Facebook Ireland agrees to take primary responsibility under the GDPR for the processing of Insights Data and to comply with all applicable obligations under the GDPR [...]"
Facebook specifically says it will take care of the duties covered by the following GDPR Articles:
- Articles 12 and 13, which set out the information that should be provided to visitors.
- Articles 15 to 22, which cover visitors' data rights.
- Articles 32 to 34, which cover data security.
But take note that Page admins have some duties in respect to Page Insights under these articles, too.
Facebook also makes it clear that although Page admins are joint controllers, Facebook will be responsible for the processing of Page Insights data.
"Facebook Ireland remains solely responsible for the processing of personal data in connection with Page Insights other than that covered by the scope of this Page Insights Addendum."
By agreeing to the Policy Addendum, you also agree to resolve any legal issues that might arise in the courts of Ireland. Choosing a jurisdiction for legal disputes is quite common in terms and policies like this.
"[...] any claim, cause of action or dispute that you have against us, which arises out of or relates to this Page Insights Addendum, must be resolved exclusively in the courts of Ireland [...]"
Facebook Page Admin's Joint Controller Duties
You can see that Facebook tries to make things as easy as possible for Page admins so that it can continue to provide Insights with minimal disruption. It isn't able to subsume all of the duties that you share as joint controllers, though.
In its Pages, Groups and Events Policies document, Facebook requires that you provide notice and obtain user consent if your Facebook Page collects content and information from users:
Adhering to Data Processing Principles
Article 5 of the GDPR sets out six principles that all data processing must follow. Facebook's new policy doesn't refer specifically to these principles. But as a joint controller, you're accountable to them.
Identifying the Data Controllers
Facebook's Policy Addendum requires you to "identify the data controller for the Page."
Facebook also suggests that you can comply with this requirement by adding your company's information to the "About" section of your Page:
Communicating Your Legal Basis
Facebook's Policy Addendum states:
"You should ensure that you have a legal basis for the processing of Insights Data under the GDPR [...]"
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
Your legal basis for the different types of data processing you do will depend on the nature of your company. Using cookies, however, is generally only possible under the lawful basis of consent.
It's most common to rely on legitimate interests as the lawful basis for using Page Insights.
As well as highlighting some of the uncertainty this decision has caused Facebook Page admins, Janitza refers to "Article 6 (1) (f) of the GDPR" as its legal basis for using Page Insights. This means that it's using Facebook Insights under legitimate interests.
If you plan to use legitimate interests as your lawful basis for using Page Insights, you will need to conduct a Legitimate Interests Assessment.
Facebook's Policy Addendum also requires you to "comply with any other applicable legal obligations."
In the spirit of transparency, however, you are required to tell your users that you use Page Insights on your Facebook Page.
Here's how Alarmy does this in its Privacy Notice:
Don't forget, though - this is the information you need to provide purely in relation to your use of Facebook's Page Insights service. You need to provide a whole range of other information in relation to your company's data processing activities, including:
- How and why you are processing personal data
- Your legal basis for each type of data processing activity
- Details of your Legitimate Interests Assessment (if you're processing some data under this legal basis)
- Who you'll be sharing personal data with (including Facebook)
- Whether you'll be transferring personal data overseas
There are also additional requirements under Article 9 of the GDPR which apply if you're processing special category (sensitive) data.
Data Requests Form
The GDPR gives users a lot of control over their personal data. Users are entitled to make requests to access, rectify or erase their personal data. They can also ask for a restriction of the ways in which their data is processed, or object outright to the processing of their data. They can make these requests to any data controller involved in processing their personal data.
Because Facebook Page admins are now joint data controllers, visitors to your Page have a right to lodge such requests with you. Supervisory authorities (data protection authorities operating in each of the EU Member States) might also contact you if there is some concern about an infringement of the GDPR or a data breach.
Facebook's Policy Addendum makes it quite clear that you are not to act on these requests, and must instead allow Facebook to do so:
"If you are contacted by data subjects or a supervisory authority under the GDPR with regard to the processing of Insights Data and the obligations assumed by Facebook Ireland under this Page Insights Addendum (each a "Request"), you will forward all relevant information to us promptly but within a maximum of seven calendar days."
Remember that this is only in respect of requests or inquiries about Facebook Page Insights. Your company must have its own systems in place to deal with requests relating to any of its other data processing activities.
First, go to your Facebook Page dashboard and select "Edit Page Info" in the top right-hand corner.
Summary of Complying with Facebook's Changes
It's not all that difficult for Page admins to comply with Facebook's requirements. Just make sure that you:
- Read Facebook's Policy Addendum carefully.
- Your company's name and contact details
- Facebook's contact details
- Your legal basis for using Facebook Insights
- Any other information you need to comply with the GDPR
- Use Facebook's special form to make it aware of:
- Any request from your users who wish to exercise their data rights in respect of Facebook Insights;
- Any inquiry from a supervisory authority about Facebook Insights.