The ECJ today delivered a judgement that will have a significant impact on a large number of website operators that incorporate plugins such as the Facebook “Like” button on their website to boost their products’ reach on social media. The simple incorporation of a Facebook “Like” button could deem such operators to be controllers jointly with Facebook with respect to the collection of personal data, burdening them with serious data protection responsibilities.
On the outset, it is important to state that under EU GDPR rules, a data ‘controller’ determines why and how personal data must be collected and processed, while a data ‘processor’ only processes personal data on behalf of the controller and is often a third-party company.
The judgement concerns a German online clothing retailer, Fashion ID, that embedded the Facebook “Like” button on its website. Verbraucherzentrale NRW (a German consumer protection association) initiated legal proceedings in Germany in 2015, claiming that featuring the Facebook “Like” button had certain consequences which made Fashion ID liable for data breaches. By embedding that button, when a visitor visits the website, the visitor’s personal data is transmitted to Facebook Ireland regardless of whether or not such person is a member of Facebook and regardless of whether such person has even clicked on the button. Moreover, the transmission of data occurs without the consent or knowledge of the visitors.
The case made its way to the Higher Regional Court in Düsseldorf, Germany, which made a preliminary ruling to the Court of Justice to interpret several provisions of the former Data Protection Directive of 1995 (which, although now replaced by the new General Data Protection Regulation, remains relevant to the case).
The most significant part of the judgement relates to the Courts determination on whether or not, and to what extent Fashion ID is considered to be a controller of data. In its deliberations, the ECJ concluded that with regards to the operations involving data processing carried out by Facebook Ireland after that data has been transmitted to the latter, Fashion ID cannot be considered to be a controller. It arrived at this conclusion after understanding that Fashion ID could not possibly determine the purposes and means of those operations.
On the other hand, the ECJ held that “Fashion ID can be considered to be a controller jointly with Facebook Ireland in respect of the operations involving the collection and disclosure by transmission to Facebook Ireland of the data at issue”. The Court reasoned that Fashion ID and Facebook Ireland determine jointly the means and purposes of those operations.
The ECJ also pointed out the consequences that operators of such websites must face as joint controllers. In respect of operations involving the processing of data of visitors to its website, at the time of their collection websites must provide certain information to their visitors, including but not limited to its identity and the purposes of the processing.
The Court went on to state that with regard to the case in which visitors have given their consent, the website operator (such as Fashion ID) must obtain prior consent only with respect to those operations for which it is a joint controller, namely, the collection and transmission of the data.
Finally, the Court delved into instances where data processing is based on the grounds of legitimate interest and the effect of this on joint controllers. The ECJ held that it is not sufficient for only one of the joint controllers to pursue a legitimate interest, but both joint controllers must pursue a legitimate interest through the collection and transmission of personal data in order for their operations to be justified in that regard, whilst maintaining the utmost regard for the rights and freedoms of data subjects.
This article was written by Legal Trainee, Gigi Gatt.
Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.