The Norwegian privacy regulator Datatilsynet has decided on the basis of research not to create a Facebook page because the privacy risks for users are too great. To the best of its knowledge, the regulator is the first organization to have carried out a risk analysis and a Data Protection Impact Assessment (DPIA) into the use of Facebook pages and whether this is possible within the rules of the GDPR. The reason for the investigation was Datatilsynet’s plan to use Facebook for communication purposes. Based on the research results, it was decided not to do this. According to the regulator, there are several problems that prevent it from creating a Facebook page. For example, the risks to the rights and freedoms of users with regard to the processing of personal data are too great, says Bjorn Erik Thon, head of Datatilsynet. In addition, it is not possible for a page administrator to eliminate these risks. Furthermore, the privacy regulator states that it cannot comply with Article 26 of the GDPR on Joint Controllers. According to Datatilsynet, the agreement with Facebook is not satisfactory and it is not possible to conclude a separate processing agreement with Facebook. Another point that the regulator mentions is that it is at the mercy of Facebook’s terms. Facebook also offers insufficient guarantees that the platform complies with data protection by design and data protection as standard. According to Thon, visitors to Datatilsynet’s Facebook page would have the expectation that the regulator has some control over what happens on the page or what information is recorded. However, there is no answer to that, according to the head of the privacy supervisor. Based on the results of the DPIA and risk analysis, it was therefore decided not to create a Facebook page.
