The Norwegian Data Protection Authority decided to abandon Facebook and not have an official page on the world’s most popular and successful social media. The reason is it finds that continuing its use would be unethical and not in line with the obligations that stem from its very role in society. Simply put, the organization cannot accept that those visiting its Facebook page and interacting with its posts have no idea what happens with their data, and the agency cannot answer any questions around that.
As the report details, the Norwegian Data Protection Authority has carried out a risk assessment on Facebook, so they didn’t just decide to reject the platform out of the blue. Facebook is a powerful communication and outreach tool, so the authority considered it greatly but found that there are many risks for user freedoms and data rights associated with it. More specifically, they found that if they created a page on Facebook, they themselves wouldn’t be compliant with Article 26 of the GDPR on joint controllership, as the standard arrangement between the two entities was deemed inadequate.
On Articles 5, 6, and 9 concerning data protection principles and Articles 12 to 22 on the rights of data subjects, the authority’s study found that the intention of the Page owner is irrelevant and powerless to the intention of Facebook, so it can be summed up as a matter of trust to the platform. The social media giant doesn’t provide adequate guarantees on its terms, and there are no concrete mechanisms that could be signs of “data protection by design and by default,” so the risks are evident.
Bjørn Erik Thon, the Data Protection Commissioner in Norway, stated that they were the first organization to carry out such a thorough assessment of Facebook Pages against the GDPR obligations. Still, they hope they won’t be the last. In fact, the official urges other data protection agencies in Europe to carry out similar risk assessment studies and maybe even expand to other popular social media platforms. In the end, this is an integral part of the social responsibility of these public agencies, and no discounts can be made when it comes to their core role that is to promote user data control.