Questions for a TUD expert: When public institutions use social media, there are boundaries to respect

For years, public institutions – from state broadcasters ARD and ZDF to universities and public authorities – have openly advertised Facebook, Twitter, and YouTube. Think of presenters asking viewers to visit relevant Facebook pages, for example. UJ talked to junior professor Anne Lauber-Rönsberg about this issue.

UJ: The public institutions in question must generate hefty revenues for advertising social media companies, right? Just like with conventional advertising on television, surely there are contracts that reflect the reach and impact of those public institutions? After all, the institutions invest state money (in the case of universities) or other public funds (the license fee in the case of broadcasters) to be as successful as possible – but Facebook, etc. are also beneficiaries. What is the legal take on this situation?

Anne Lauber-Rönsberg: I agree that social networks, and Facebook in particular, have become a standard public relations tool because they are so widespread. So much so that many institutions feel unable to do without the opportunities such networks offer to raise their profile.

References to broadcasters’ Facebook pages by TV and radio presenters are, however, in part rooted in media law: The Interstate Broadcasting Agreement requires public broadcasters to provide internet services as part of their mission to contribute to the free formation of individual and public opinion. However, to ensure that those internet services do not represent unreasonable competition for press publishers – which, unlike public broadcasters, do not receive broadcasting fees – the Interstate Broadcasting Agreement places strict conditions on internet content from public broadcasters. Under current law, for example, pages relating to the content of a specific broadcast may be made available for a period of up to seven days after the broadcast. In the case of internet content not related to a specific program, the broadcaster must examine whether the page is necessary at all for the fulfillment of its universal service mandate. Presenters’ references to Facebook pages thus in part serve to prove the link to a specific program.

Neither broadcasters nor indeed TU Dresden have any legal entitlement to a share of the advertising revenue generated by Facebook as a result of increased traffic. Institutions enter into the ‘deal’ with Facebook voluntarily and know beforehand that they will not receive any financial compensation. Clearly, they assume that Facebook content is nevertheless ultimately worthwhile.

However, it is problematic that the consideration Facebook receives for its services is essentially provided by the visitors to the Facebook pages, as Facebook collects and processes their personal data.

Facebook’s Mark Zuckerberg has admitted what everyone already suspected: Facebook collects data, including personal data, and then makes it available to third parties – either negligently or indeed even intentionally as part of its business model. As this is now accepted as fact, aren’t all those who operate a Facebook page condoning any violations of data protection law committed by Facebook or even making themselves complicit?

This question has long been a subject of debate amongst data protection experts. On June 5, 2018, the European Court of Justice (ECJ) ruled that the operators of Facebook pages are jointly responsible for data processing carried out by Facebook. The specific question at issue was whether a private educational institution from Schleswig-Holstein, which operates a Facebook page, could be held responsible for potential data protection breaches by Facebook.

I believe this judgment is correct: Anyone who consciously chooses a particular infrastructure for their public relations work shares responsibility for its compatibility with data protection law.

However, the ECJ also recognized that joint responsibility on the part of Facebook and the page operator need not necessarily mean equal responsibility. If the two parties are involved in the processing of personal data at different stages and to differing extents, the degree of responsibility is to be assessed in light of all relevant circumstances in the particular case. What this means for the sharing of responsibility for Facebook pages and to what extent data protection law is actually violated in this context must now be examined by the German Federal Administrative Court.

The ruling may have been issued under previous law and not under the General Data Protection Regulation (GDPR), which came into force in May 2018, but it can also be applied to the GDPR. Under GDPR provisions, Facebook and the operators of Facebook pages are joint controllers and must define, in a transparent agreement, which party is to fulfill which data protection obligations, including but not limited to the duty to provide information to data subjects. The agreement must also be made available to the data subjects so that they can exercise their statutory rights, for example the right of access. In practical terms, such agreements between page operators and Facebook are probably not currently feasible, yet their very absence constitutes a violation of data protection law. Both Facebook and the page operator must, of course, also comply with the other obligations under the General Data Protection Regulation. Whether Facebook actually does so would at the least appear doubtful in the light of recent months’ news.

What does the ruling mean in practical terms? Should TU Dresden take its Facebook page offline? What about other social media channels such as WhatsApp and Instagram?

Operating a Facebook page brings liability risks under data protection law. The safest solution at the moment would be to at least temporarily suspend Facebook pages until a solution can be found to allow them to be operated with legal certainty. This is also the position taken by the committee of Independent German Federal and State Data Protection Supervisory Authorities (DSK) in its resolution of June 6, 2018.

Those who nevertheless decide to wait for the ruling by the German Federal Administrative Court and see how things develop over the next few weeks, in particular how Facebook responds, should consider carefully whether the benefits of these pages actually justify the liability risks. In such a case, I would also strongly advise page operators’ taking all possible and available steps to ensure compliance with data protection law as far as possible. These include publishing a privacy policy on the Facebook page in addition to the mandatory legal notice, and including a link to Facebook’s privacy policy for data processing carried out by Facebook, of which the page operator has no knowledge. The page operator should also examine whether it can, through its own settings, exercise any control over what and how much personal data associated with visitors to the page are processed. Ultimately, however, even these measures cannot eliminate liability risks.

Much will depend on whether and how Facebook responds to the European Court of Justice ruling. The ruling has put the company under pressure, as it is in danger of losing the European market. In theory at least, it is conceivable that Facebook could provide an agreement on how responsibility for data processing is to be shared between the social network and the page operators. It also still remains to be seen how the Federal Administrative Court will view the case. With the Federal Administrative Court’s ruling at the latest, we will see a decision as to whether Facebook pages should be taken offline permanently.

In principle, the ruling from the European Court of Justice applies not only to Facebook, of course, but also to other comparable issues such as data processing by WhatsApp and Instagram.

Are there any legal specificities applicable to public or state institutions?

These principles apply both to Facebook pages run by private companies and to those of public institutions.

In the case of universities, however, there is in my view also a particular duty of care; a duty to protect the rights and interests of students and staff. Data protection regulations require universities to take appropriate personnel, technical, and organizational measures to ensure compliance with data protection requirements. In my opinion, this includes selecting service providers carefully and taking into account the data protection standards they meet.

This applies not only to public relations, but also to e-learning services, for example. I therefore warmly welcome the fact that Saxony’s universities are currently developing their own video portal so that they no longer have to rely on commercial providers such as YouTube to provide lecture recordings.

The public now keeps a close eye on whether universities guarantee high data protection standards in their learning management systems. This is demonstrated by the Big Brother Award, ‘presented’ to LMU Munich and TU Munich in May 2017 in condemnation of their collaboration with the US MOOC provider Coursera, which not only collected extensive data on participants in online courses but also shared that data with employers and recruitment companies.

The interview was conducted by Mathias Bäumel.

This article appeared in the Dresdner Universitätsjournal (university newspaper, UJ) 12/2018 of June 26, 2018. The complete issue is available as a free PDF download here. Printed copies and PDF files of the university newspaper can be ordered from  . For more information, please visit universitaetsjournal.de.