Page 3 of 61
GDPR. FB-I had confirmed to the DPC previously by email dated 25 May 2018 that FB-I was the
controller for the Facebook service and the Instagram service in the EU. It is understood that FB-I is
also the controller for the provision of the Facebook and Instagram services to users in the other EEA
states (Norway, Liechtenstein and Iceland).
In the Inquiry, FB-I specifically stated that, as controller,
it determines the purposes and means of processing of the personal data of EU users
which I assume
to include users in the other EEA states.
6. Facebook, Inc. (as it was then known) is a company incorporated under the laws of Delaware with an
address at 1601 Willow Road, Menlo Park, CA 94025, California, United States of America. FB-I has
confirmed in the Inquiry that Facebook, Inc. acted as a processor as defined in Article 4(8) GDPR in
relation to the data processing concerned by each of the Breaches.
In this regard, FB-I has outlined
that Facebook, Inc. processes the personal data of EU users of the Facebook and Instagram services
solely on FB-I’s behalf, as a processor, and that the relationship between the two entities as controller
and processor, respectively, is governed by a Data Transfer and Processing Agreement dated 25 May
2018 (“DTPA”) directed to meeting the requirements of Article 28(3) GDPR.
A copy of the DTPA was
provided to the DPC in the Inquiry.
7. I am satisfied, for the purposes of this Decision, that FB-I and Facebook, Inc. are appropriately
identified as the controller and processor, respectively, for the processing of personal data the
subject of the Inquiry.
Facebook and Instagram
8. The Breaches to which the Inquiry relates concern both the Facebook and Instagram services.
9. Facebook is a social media service available at the website www.facebook.com, and as an app for
Android and iOS. As of the end of December 2018, it had 2.32 billion monthly active users globally.
In very broad overview, users with a Facebook account can create a profile containing personal
information, photos and interests, and connect with other users by adding them as ‘Frie nds’, or
(usually in the case of people they do not know personally) by ‘following’ another user’s profile. Each
user’s profile includes their ‘Timeline’, where they can post photos, videos, locations and status
updates, as well as see posts they have been ‘tagged’ in and posts written to their Timeline by
Friends. Users can also create and manage ‘Pages’ and ‘Groups’ and ‘Events’ around particular
interests, topics, or social activities. The homepage a user sees when they log into their account
contains a ‘Newsfeed’ showing a list of status updates, photos, videos, and ‘likes’ by other users,
Pages and Groups that they follow on Facebook, which is continuously updated. Users can ‘like’ or
comment on other users’ posts, ‘tag’ other users in posts, send messages to other users, and create
a ‘Facebook Story’ which remains visible for 24 hours, among other features. The audience of content
that users share on Facebook can be edited depending on who the user wishes to see it (alternatives
include ‘Public’, ‘Friends’, or ‘Custom’). There is an option to remove (or ‘ Unfriend’) a person who
the user had pr eviously added as a Friend, and users can ‘block’ other users to prevent them from
(for example) seeing their profile or sending them messages.
See, for example, information on users affected, in cluding numbers in the other EEA states, in the updated
breach notification form for Breach 10 (4 January 2019) (Section 8.1, updating Section 5.5).
FB-I’s Response to Queries 1 to 4 in the Commencement Notice (18 January 20 19), pages 1 to 2.
FB-I’s Response to Queries 1 to 4 in the Commencement Notice (18 January 2019), page 3 to 4
FB-I’s Response to Queries 1 to 4 in the Commencement Notice (18 January 2 019), page 4.
Press Release, ‘Facebook Reports Fourth Quarter and Full Year 2018 Results’ (30 January 2019)