ECJ rules on Facebook “Like” button
Does a Facebook “Like” button make a website operator a joint data controller?The key takeaway
Confirming the opinion of the Advocate General (see Summer 2019 snapshots), the European Court of Justice (ECJ) has confirmed that, if you operate a website with a Facebook “Like” button, you could be a joint data controller with Facebook. This is the case even if the operator does not have access to the personal data.
A German consumer protection association (VNRW) took action against a fashion website, Fashion ID, in the German courts. Fashion ID installed a Facebook Like button on its website, meaning that when an individual visits its website, that individual’s personal information is automatically transferred to Facebook Ireland, whether or not they have clicked on the Like button and irrespective of whether they have a Facebook account.
VNRW sought an injunction against Fashion ID. It alleged that the fashion website’s use of the Like button breached German data protection law (which implemented European Data Protection Directive (95/46/EC). This is because Fashion ID transmitted personal data to Facebook Ireland without individuals’ consent and without informing the individuals (eg as to the purpose of the data processing).
On referral from the German court, the ECJ considered Article 2(d) of the Data Protection Directive (95/46/EC), which gives a broad meaning to the term “controller”. According to the Directive, a controller determines (alone or jointly) the purposes and means of processing personal data.
The ECJ clarified that the fact that an actor (eg a website operator) does not have access to the relevant personal data is not a barrier to finding that they are a controller. The ECJ also noted that joint liability as controllers should not always be equated with equal responsibility between controllers. In particular, operators might be involved at different stages of processing and might be involved in the processing to varying degrees, meaning that their liability should be assessed in light of the relevant circumstances.
Consequently, the ECJ found that Fashion ID was not a joint controller in relation to the processing undertaken by Facebook after the transmission of data. This is because the court found that it was impossible that Fashion ID determined (at the outset) the purposes and means of this stage of Facebook’s data processing.
However, Fashion ID was a joint controller in respect of the operations involving the collection and disclosure of personal data to Facebook, because Fashion ID and Facebook both determined the means and purposes of those operations. In relation to individuals with no Facebook profile, the ECJ found that operators have more responsibility as the simple addition of the Like button on the website triggers processing of these individuals’ data by Facebook.
Where data is processed pursuant to a legitimate interest, the ECJ confirmed that, in the case of join controllers, a legitimate interest should be pursued by both Facebook and the website operator.
The ECJ stated that website operators must provide information to individuals (such as the identity of the controller and the purpose of the processing) at the time their data is collected. Additionally, website operators must obtain prior consent in relation to the operations for which it is joint controller (eg the collection and transfer of data to Facebook).
Why is this important?
The ECJ has confirmed that website operators may be liable for breaches of data protection rules in relation to the use of the Facebook Like button on their websites.
Any practical tips?
If you are a website operator, review your website’s privacy policies to ensure that individuals are informed about how their data is processed, collected and transferred to social media platforms, the type of data collected and the purpose of the processing.
The roles, liabilities and responsibilities of the website operators and social media platform should also be described in the agreement between the parties.
The issue of how consent should be given was not clarified by the ECJ and should be considered by website operators going forward, especially as the ECJ ruled that operators cannot rely on plug-in providers to obtain consent.