Europe Can Regulate Your Company's Facebook Page

Every company in the world that has a Facebook social media page may be subject to the European Union’s newly-enacted GDRP (General Data Protection Regulation) and the chokehold of EU law enforcement.

Many businesses wrongly believe they are not collecting personal data via their Facebook pages but that is likely not the case.

This new law provides individuals with enhanced privacy rights to protect their personal information. To accomplish this objective, the GDRP imposes substantial legal and technological requirements upon businesses that collect, store or process personal user data. The EU is empowered to impose heavy fines on companies that do not comply with these privacy law mandates and since the law’s recent implementation, many businesses, small and large alike, have been fined.

When EU citizens and residents access a business’s Facebook page, the business is legally responsible to keep their personal data private. This is the case whether the user is located in Europe or anywhere else in the world at the time she accesses the company’s Facebook page. In addition, a citizen or resident of any country in the world including the United States who is travelling or working in Europe may also be entitled to heightened privacy rights under the GDRP. And the long arm of the EU’s jurisdiction extends to every company located anywhere in the world that offers goods or services (by e-commerce or any other means) to covered individuals.

The EU Grand Chamber Court ruled recently that the GDRP’s requirements also apply to company Facebook pages. Every business with a social media site  may be required to deploy state of the art technological and legal protections to ensure the privacy of personal data that passes through the social sites. The cost of compliance can be substantial but the specter of enforcement, fines and adverse publicity is real and alarming.

Some kinds of data collection are obvious; others are more subtle, and it is very important for buinesses to be aware of the numerous landmines that the GDRP has laid out to capture them.

Under this harsh law, “personal data” means “any information relating to an identified or identifiable natural person.”

It is easy to determine those users who are identified persons. However the meaning of an identifiable natural person is more subtle. A person is identifiable if she can be, directly or indirectly identified by her name, identification or customer number, location data, an online identifier or to one or more factors specific to her physical, physiological, genetic, mental, economic, cultural or social identity.

Most companies use cookies and site analytics in connection with their social media sites. Facebook uses cookies and provides businesses with Facebook Audience Insights.  For this reason, a business having a Facebook page may also be responsible for the data that Facebook itself collects about the business’ users.  This kind of data includes user profiles, “likes”, use of third-party apps, location information and demographics.

Every United States business needs to determine whether it is potentially subject to the GDRP.  This article is limited to social media sites, but many other facets of a business’s interactions with its customers and users may also be implicated in the GDRP’s restrictions and mandates. A prudent business and its legal counsel should review its Privacy Policy as well as its technological privacy practices and conduct an audit of its internal practices for information security. Beware and be cautious.