According to a recent decision by the EU Court, Facebook and the individual who makes the page will share responsibility as the data controllers for the page. Thus, Facebook page creators may have responsibility for ensuring compliance with privacy laws, such as GDPR, in relation to the use of their page.
The situation's history: A German educational organization's creation of a Facebook page is at the heart of the lawsuit, which has been pending in court since 2011. Neither Facebook (unlike now) nor the educational institution disclosed any details regarding the site's cookie usage at that time. Facebook made it easy to utilize cookies, but the school presumably didn't realize that's where the data was coming from when it managed the page and collected user information. (even if the information had been anonymized from Facebook's side for the oversight organization).
The educational organization claimed that they were not liable since they had not urged or required Facebook to gather information; however, one of Germany's fifteen state data protection authorities had ordered them to disclose the use of cookies. Because of this information gap, the Data Protection Authority ultimately banned access to the Facebook page. Following this, the matter remained pending in German courts until the German Supreme Court asked the EU Court of Justice to rule on the question of data processing liability, specifically identifying the party accountable for guaranteeing adherence to data protection regulations.
Not applicable before to GDPR, but gains importance as a result of GDPR
It should be noted that the Data Protection Directive, which was in place before to GDPR, formed the basis for the ruling. The decision also affects how GDPR is understood because the rules and definitions of data controller and data processor are identical to those in GDPR. The so-called "joint processing responsibility" is a novel concept introduced by GDPR. In light of this, the court has determined that the GDPR establishes the paradigm that ought to apply under prior regulations. The individual creating the Facebook page is thus seen as a joint controller with Facebook, subject to the regulations outlined in GDPR Article 26, which includes the need to establish a controller-to-controller agreement.
After the verdict, what will happen? Since Facebook has essentially established itself as the data controller for its services, the verdict goes against Facebook's policies. Facebook will likely modify its policies (as it did in response to GDPR) in light of the verdict in order to comply with the obligations of various articles, including Article 26 on joint controllers.
On top of that, Facebook will probably take care of the information duty under Articles 13 and 14 for data obtained from the pages, thus page creators won't have any more leeway to inform. (particularly what cookies are, as is now reported). However, Facebook page creators are obligated to disclose information about their business. This includes:
the name and contact information of the person or people responsible for handling personal data (including any representatives), the data protection officer's contact information (if any), the purpose of data processing, whether or not data is collected through the pages, and the possibility of data transfer to another data controller
Furthermore, as a result of the decision, the individual responsible for creating Facebook pages will have some liability for the way personal data is handled in this case. However, one ought not go to extremes with this duty. According to the decision, Facebook is going to be in charge of user privacy on the platform, not the individual who makes the Facebook page. This is because joint data controllers do not imply that. Since the creator of a Facebook page might himself be held accountable by Facebook, as stated in the ruling:
"The fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data."
However, just because Facebook and the individual creating the page share processing duty does not imply that the creator and Facebook are equally responsible. Each data controller's responsibilities must be evaluated on an individual basis since, as the decision explains, they are involved in different ways and at different stages of the processing of personal data.