Does a Facebook Like button on your website make you a data controller?
If the operator of a website embeds a third party plugin (such as the Facebook Like button), does this make it a joint data controller with Facebook?
The Advocate General at the Court of Justice of the European Union (CJEU) has issued an opinion on this question, as raised in the German case of Fashion ID GmbH & Co Kg v Verbraucherzentrale NRW eV (Case C-40/17).
Fashion ID is a German online clothing retailer, which embedded the Facebook Like button into its website. This means that each time a user accesses the website, information about that person’s IP address and browser string is transferred to Facebook. This happens automatically – it is not necessary for the user to click on the Like button, or for them to have a Facebook account, for the data to transfer.
A German consumer protection association (Verbraucherzentrale NRW) brought legal proceedings against Fashion ID, seeking an injunction on the ground that its use of the Like button constituted a breach of Directive 95/46/EC, which has now been superseded by the General Data Protection Regulation (EU) 2016/679 (GDPR). The case was referred to the CJEU for guidance.
The Advocate General expressed the view that website operators who embed third party plugins which cause users’ personal data to be collected and transmitted, are joint data controllers along with the third party. Consequently, the website operator will be jointly responsible for that stage of the data processing. It followed that the Advocate General considered Fashion ID to be a joint data controller along with Facebook Ireland.
However, the Advocate General also said that the controller’s (joint) responsibility should be limited to the operations for which it co-decides on the means and purposes of the processing of the personal data. He referred to the CJEU statement in Wirtschaftsakademie Schleswig-Holstein (Case C-219/16), that “operators may be involved at different stages of that processing of personal data and to different degrees”. Consequently, a joint controller cannot be held liable for the previous and subsequent stages of the overall chain of data processing, as it is not in a position to determine either the purposes or means of that processing.
The Advocate General expressed the view that Fashion ID and Facebook Ireland co-decide the means and purposes of the data processing at the stage of collecting and transmitting the personal data. They both voluntarily cause the data to be processed and transmitted, and there is a unity of purpose between the controllers in the sense that Fashion ID embedded the Facebook Like button on its website to increase visibility of its products via the social network.
The Advocate General concluded that Fashion ID acts a joint controller and has joint liability with Facebook over that stage of the collection and transmission of the data.
The Advocate General also touched on the legitimacy of the processing of personal data in the absence of the website user’s consent. He noted that this is lawful under the Directive if three (cumulative) conditions are fulfilled: (i) the pursuit of a legitimate interest of by the data controller or the party/parties to whole the data is disclosed, (ii) the need to process personal data for the purposes of the legitimate interests pursued; and (iii) the fundamental rights and freedoms of the person concerned by the data protection do not take precedence. In this respect, the Advocate General proposed that the legitimate interests of both joint controllers in the Fashion ID case should be taken into account and balanced against the rights of the users of the Fashion ID website.
Finally, the Advocate General said that, where required, the website user’s consent must be given to the operator if the website (in this case, Fashion ID) has embedded third party content. Similarly, the operator is under an obligation to provide the website user with the required minimum information.
Why is this important?
We await the decision of the CJEU, which should provide useful clarification on the duties and specific liability of joint controllers. This is important because breach of these duties may lead to strict liability under the GDPR, which states that individuals may exercise their rights against each of the controllers in relation to the processing of personal data over which they have no control.
Any practical tips
The case is a useful reminder to businesses to know exactly what data processing is occurring via their websites, including as a result of any third party plug ins, such as the Facebook Like button. Properly understanding what’s happening from a data perspective is the first step in addressing any potential exposure which may result from being deemed a joint controller of the relevant data.