The Court of Justice of the European Union recently ruled that anybody who runs a fan page, group or other such page on Facebook can be held partly responsible for any failures in GDPR compliance concerning users on the page, even if the offense does not originate from the page itself. Likewise, if a page administrator fails to comply with the GDPR, Facebook can be held partly responsible as the provider of the platform that made the infringing data collection and use possible. This hinges on Facebook's Insights tool, which allows page administrators to view demographic data on page visitors such as their location, interests, and location.
This precedent means that a number of businesses, fan pages and Facebook groups worldwide will have to take additional steps to ensure GDPR compliance on their pages. The ruling does not apply to fully anonymized data, but any aggregated data that can be traced back to individual users, such as the data on Facebook users that powers the Insights tool for Pages, is covered under GDPR, which means that any and all collection and use of this data must comply with GDPR guidelines. The ruling that set the precedent for this pertains to German education firm Wirtschaftsakademie Schleswig-Holstein. Back in 2011, the company was ordered to take down its Facebook page because it did not disclose to users that Facebook was collecting their data, a fact that representatives claim not to have known at the time. The case reached its conclusion on Tuesday, with the GDPR growing in scope as a result in order to avoid "gaps in responsibility".
Today's news is yet another knock-on effect of the EU's relatively new General Data Protection Regulation. The GDPR is a powerful and global set of rules that allow for hefty fines and other penalties against any companies or entities that do not handle customer and user data in a manner consistent with the law. Specifically, any data that is not totally anonymized, even aggregated data, must be kept safe and secure, and the customer from whom the data was harvested must not only know that data collection is happening and why, but also be able to request their specific data at any time.