On 19 December 2018, Advocate General Bobek ("AG Bobek" or the "AG") delivered his opinion in case C-40/17, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV. The AG argued that the operator of a website integrating a third party plugin such as the Facebook "Like" button, which causes the collection and transmission of the users' personal data, is jointly responsible for that stage of the data processing.
Fashion ID, a German online retailer, integrated the Facebook "Like" button into its website. As a result of the functionality of the Facebook "Like" button, information about a user's IP address and browser string is transferred to Facebook Ireland. This occurred automatically when Fashion ID's website was loaded, regardless of whether the user has a Facebook account or whether he or she clicked on the "Like" button. Verbraucherzentrale NRW, a German consumer protection association, filed for a cease-and-desist injunction against Fashion ID on the ground that the use of the Facebook "Like" button results in a breach of data protection legislation.
At issue is the interpretation of several provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "GDPR"). The Düsseldorf Higher Regional Court asked the Court of Justice of the European Union ("ECJ") whether an online retailer who integrates the Facebook "Like" button into its website is a data controller of the relevant data processing.
Pursuant to Article 26(1) of the GDPR, several parties involved in data processing are to be considered as "joint controllers for data processing" when jointly determining the purposes and means of data processing. In order for joint controllers to be responsible, each party involved must have actual influence. On 5 June 2018, the ECJ already held that there was joint controllership between Facebook Ireland and the operator of a so-called "Facebook Fanpage" (See Van Bael & Bellis on Belgian Business Law, Volume 2018, No. 6. p. 9, available at www.vbb.com).
According to AG Bobek, the threshold for assumption of joint controllership is very low. Therefore, the AG suggests in his opinion that the ECJ should rule that the operator of a website such as Fashion ID who has integrated into its website a third-party plugin, such as the Facebook "Like" button, which causes the collection and transmission of the users' personal data, is a joint controller, along with the third party. Accordingly, the mere integration of the plugin is considered to be a form of co-decision-making for data processing purposes. Nevertheless, the joint responsibility should be limited to those operations for which these parties effectively co-decide on the means and purposes of the processing of the personal data. That implies that a joint controller is responsible for that operation or set of operations for which it shares or co-determines the purposes and means as far as a given processing operation is concerned.
The ECJ will now have to decide whether Fashion ID and Facebook co-decided on the means and purposes of the data processing at the stage of the collection and transmission of the personal data, and whether Fashion ID acted as a controller and whether its liability is, to that extent, joint with that of Facebook Ireland.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.