POPIA risks from corporate use of social media (e.g. Facebook)

There is significant risk in using third party platforms by organisations due to the legal liability they inherit as a result. Be it corporate use of LinkedIn, Instagram, Twitter, Facebook, etc. each requires an Administrator to facilitate the collection of personal information by these platforms. A judgement on 5 June 2018 saw the Court of Justice of the European Union (CJEU) find that the administrator of a corporate account on social media (in this case Facebook) must be regarded as being responsible for the phase of personal data processing consisting of the collection and transmission by that social media network of data relating to people who visit the organisation's social media pages.

In other words, by facilitating the collection of personal information on social media as a result of setting up corporate pages, the Administrator is to be regarded as a joint responsible party for the purposes of the Protection of Personal information Act and therefore becomes jointly liable for the processing activities of the social media platform (e.g. Facebook) and as a joint responsible party can be the subject of a compliant to the Information Regulator or litigation independently of the social network.

Because litigation against social networks like Facebook will be unlikely due to the high costs, it will be most likely that litigation will be against a less well resourced responsible party who originally determined the means of processing (i.e. collection) would be through a social media's (e.g. Facebook) ongoing activities.

This risk extends to any embedded third party assets within an organisation's web pages. The organisation is effectively facilitating the processing of personal and communications data by those third parties and therefore in terms of the POPI Act should be considered as a Joint Responsible Party in these circumstances.

With this risk in mind, organisations should review the data processing practices of third parties who drop cookies and use analytics and tracking technologies on their websites. By permitting third party scripts website owners typically receive anonymous statistical information about website usage which can assist in optimizing website design. However, from the perspective of the analytics provider the information obtained via one website is simply one facet of the wider collection of data from number of sources. In their hands the data is not anonymous but can be used to build a detailed picture of users and to target advertising at them.