31.07.19 Operators of websites using social media plugins can be qualified as joint controller
A large number of websites nowadays contain so-called “like” or “share” buttons: promotional features that connect products to popular social networking sites. Following a preliminary ruling from the German Oberlandesgericht Düsseldorf, the European Court of Justice (“ECJ”) clarified on 29 July 2019 the liability in terms of data protection for websites placing such like buttons (C-40/17).
The ECJ ruled in a case initiated by a consumer association against the German fashion retailer Fashion ID, which had embedded the Facebook like button on its website. In its decision, the ECJ followed the opinion of Advocate-General Bobek.
In the present case, the ECJ brings some clarification to several provisions of the former Data Protection Directive 1995 (which remains applicable to this case, but has now been replaced by the General Data Protection Regulation, the so-called GDPR). The ECJ stated that Fashion ID, together with Facebook, is responsible for the collection of the data in question and its transmission to Facebook, since both parties agree on the purpose and the means of achieving it. Consequently, according to the ECJ, websites will be deemed to be controllers within the meaning of the GDPR simply because of the placement of a like or share button. The button sends personal data of visitors to Facebook, without those visitors being aware of that and regardless of whether or not they are a user of Facebook or have clicked on the like button, according to the ECJ.
The ECJ reached that decision on the basis that Fashion ID “exerts a decisive influence over the collection and transmission of the personal data of visitors to that website to the provider of that plugin, Facebook Ireland, which would not have occurred without that plugin.” Fashion ID and Facebook Ireland must therefore be regarded as joint controllers since they jointly define the purpose of the processing. Surprisingly, the fact that Fashion ID itself does not have access to the personal data was considered irrelevant.
This approach, however, only applies to the collection and transmission of data relating to visitors to the website. Websites that use social media plugins are not responsible for what Facebook subsequently does with the data that is passed on.
The ECJ also established that via the like button on the Fashion ID website, both personal data of users and non-users of Facebook were processed. This further increases the responsibility of the website owner, as it enables the processing of personal data of non-users by Facebook Ireland.
As a result, website owners, when acting as controllers, also have to comply with certain obligations. Users should be informed of how their data is being processed and that it is automatically transferred to Facebook Ireland or any other social media via a plugin. In addition, website owners should seek prior consent before sharing any data with Facebook, except if they could successfully invoke legitimate interest as legal grounds.
In that respect, where the processing of data is necessary for the purpose of a legitimate interest, the ECJ finds that each of the (joint) controllers, namely the operator of the website and the provider of the social media plugin, must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in that regard.
Companies and website operators will have to rethink / clarify their relationship with the providers of social media plugins and enter into a joint controller agreement.