FHDC not compliant with post-Schrems II data protection law?

Back in Dec 2020 we posted the following blog:

The Council’s Facebook Page – some questions for them

We asked Folkestone & Hythe District Council the questions and they responded with the following:

“A response will only be provided to you if it is deemed necessary.”

Now the council will need to respond, perhaps not directly to the Shepway Vox Team, but most certainly to people who use the Council’s Facebook page. Here’s why:

The issue of the transfer of personal data to the US has been the subject of much debate and much litigation. In 2015 the Court of Justice of the European Union (CJEU) struck down one of the then key legal mechanisms (“Safe Harbor”) for doing so. And in 2020 the CJEU did so with its successor, “Privacy Shield”. Both cases were initiated by complaints by lawyer and activist Max Schrems, and focused on the transfer of data from the EU to the US by Facebook.

Put simply, European data protection law, in the form of the GDPR and (as we must now talk about the UK in separate terms) UK data protection law, in the form of UKGDPR, outlaw the transfer of personal data to the US (or any other third country), unless the level of protection the data would receive in the EU, or the UK, is “not undermined” (see Chapter V of and recital 101 of GDPR/UKGDPR).

In “Schrems II” – the 2020 case – the CJEU not only struck down Privacy Shield – it effectively also laid down rules which needed to be followed if the alternative mechanisms, for instance using “standard contractual clauses” were to be used for transfers of personal data. Following the judgment, the European Data Protection Board (EDPB) issued guidance in the form of FAQs, which recommended an “assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place”. The EDPB guidance was subsequently endorsed by the UK’s own Information Commissioner’s Office (ICO)

The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere

What strikes the Shepway Vox Team as odd in all this is Folkestone & Hythe District Council have a Facebook page. Given that Facebook’s own data governance arrangements involve the transfer of EU and UK users’ data to the US, and given the Council don’t just operate their page as a newsletter, but actively encourage users to comment and interact on their page, it seemed to the Shepway Vox Team  that the Council were enabling the transfer of personal data by Facebook to the US. But even further than that, another CJEU judgment has previously made clear that operators of corporate Facebook pages may well function as a controller under the GDPR/UKGDPR, where they set parameters on the page. The Wirtschaftsakademie case held that – in the case of someone operating a “fan page”

While the mere fact of making use of a social network such as Facebook does not make a Facebook user a controller jointly responsible for the processing of personal data by that network, it must be stated, on the other hand, that the administrator of a fan page hosted on Facebook, by creating such a page, gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account.

By extension, the Council are in this position with their Facebook page.

Thankfully the same thoughts had occured to Jon Baines Senior Data Protection Specialist for Mischon De Reya who put the same point to the ICO, as they’ve got a Facebook page as well.

From his response we can deduce Folkestone & Hythe District Council are a controller. And that nearly a year on from the Schrems II decision, they have NOT updated their privacy notice to reflect their controller status in respect of their Facebook processing. They do not say what that their legal basis for processing is. As a local authority they have a statutory responsibility to comply with all laws and regulations including GDPR and Data Protection.

What the Council’s response doesn’t do is actually respond to our public face as a data subject in respect of his complaint, nor do they explain how they are complying with the international data transfer provisions of Chapter V of the GDPR/UKGDPR, and whether they have conducted any sort of transfer impact assessment (one presumes not).

We are aware we the Council might see us as being mischievous, and we are also aware we might be seen as having walked the Council into a trap. Maybe we are, and maybe we have, but there’s also a very serious point to be made. The cost to UK business of the Schrems II decision has been enormous, in terms of the legal advice sought, the internal governance reviews and risk assessments undertaken, and the negotiating or novation of contracts. At the same time the business and legal uncertainty is significant, with many wondering about their exposure to legal claims but also (and especially) to regulatory enforcement.

Given that the Council are not following the law and regulations, then as per Part B of ISA (UK) 250, the external auditor Grant Thornton must in inform the regulator – the Information Comminssioner’s Office.

Also all those  “standard contractual clauses” which are used for transfers of personal data in all the Council contracts – such as Salesforce –  need to be examined urgently by the internal auditor – East Kent Audit Partnership, headed up by Christine Parker, as a novation might be legally necessary for compliance reasons and prevent regulatory enforcement.

Finally, it would be wise and prudent for the Council to turn off all commenting on their Facebook page. If they do not, they make themselves legally and financially liable for transferring personal data.

We thank Jon Baines of Mischon de Reya and a blogger at informationrightsandwrongs.com, for allowing us to reproduce parts of his orginal blog which can be found ⇒ here  

The Shepway Vox Team

Not owned by Hedgefunds or Baron’s