For some time now we have wondered how Folkestone & Hythe District Council complies with data protection law when operating its Facebook page. It’s not a challenge unique to them – anyone running a corporate page is likely to be faced with similar challenges.
With this in mind, the Shepway Vox Team have raised an enquiry/complaint with the ICO, and will, of course, update this blog when we receive a response.
We wish to raise an issue regarding Folkestone & Hythe District Council compliance with, Articles 5(1)(a)(b)(c) and (f) of the GDPR.
We note that they operate a Facebook organisation page:
on which they invite and respond to residents comments.
Following the findings of the Court of Justice of the European Union (CJEU) in Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (Case C‑210/16), you are a joint controller with Facebook for the purposes of the processing of – at least – the personal data of those who comment on the Council’s Facebook Page (the “Facebook data”). Many residents do this.
We also note that in the Council’s “Privacy Notice“, they do not state, in respect of their processing of the Facebook data, that they are a controller. No doubt the Council would disavow controller status, which would be an abrogation of their obligations under Article 13 of GDPR.
Following the findings of the CJEU in Wirtschaftsakademie it can be said that the creation of an organisation page on Facebook involves the definition of parameters by the administrator which has an influence on the processing of personal data for the purpose of, at least, permitting visitor comments or visitor interactions, such as clicking “like” buttons. Consequently, the administrator of a Facebook organisation page such as the Council’s Facebook Page contributes to the processing of the personal data of visitors to its page.
The Shepway Vox Team assert the Council process, as a controller, residents personal data who have commented on the Council’s Facebook Page. We also believe that, as a controller, they are involved in the transfer of the Facebook data, which must be taken to include residents personal data, to a third country, namely, the United States (Facebook itself says that information controlled by Facebook Ireland (which it sees as the primary controller for the processing of personal data on UK Facebook pages) will be transferred or transmitted to, or stored and processed in, the United States). Facebook appears to effect such transfers by means of standard data protection clauses approved by the European Commission (https://www.facebook.com/help/566994660333381).
So the following questions need to be answered by the Council’s data protection officer; and the Cabinet Member responsible for Information technology, information access and security, RIPA and Customer service Cllr Ray Field.
Please would you inform the residents of the Folkestone & Hythe District whether:
1) You agree that you are controller (jointly or severally) with Facebook for the processing of residents personal data when they comment on your Facebook page?
2) You take the view more generally that you are a controller (jointly or severally) with Facebook for the processing of residents personal data when they visit your Facebook page (for instance for the processing involved in the placing of cookies and similar technologies)?
3) As a controller (assuming you accept that you are one) you are transferring residents personal data out of the EEA?
4) if the answer to 3) is “yes”, how you are complying with conditions laid down in Chapter 5 of GDPR?
This is a serious matter. We appreciate the Council has a general task to promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing via it’s Privacy Notice. It would be helpful, if the Council could say whether they take the view that they cannot adequately perform this task without using Facebook to do so.
The Shepway Vox Team
Being Voxatious is NOT a Crime