In Short

The Situation: Fashion ID, a German online clothing retailer, embedded on its website the Facebook "Like" button. When a user consults the website of Fashion ID, that user's personal data are transmitted to Facebook Ireland. The transmission occurs regardless of whether the user is a Facebook member or has clicked on the "Like" button.

The Result: On July 29, 2019, the European Court of Justice ("ECJ") ruled (Case C 40/17), following the Opinion of the Advocate General Bobek of December 2018, that Fashion ID and Facebook Ireland are joint controllers with regard to the operations involving the collection and disclosure by transmission to Facebook Ireland. However, Facebook Ireland is the sole controller regarding its processing after such transmission.

Looking Ahead: Besides updating their privacy policies, website operators that use social plugins, such as the Facebook "Like" button, will be required to ensure a legal basis for processing (this will regularly require obtaining consent from users, for example, via a cookie consent tool) and providing appropriate notice to users prior to collecting and transmitting personal data to the social media provider offering the plugin. Additionally, website operators and social media providers will be required to enter into a joint-controller agreement.

Key Facts of the Decisions

  • Consumer-protection associations may be granted the right to bring or defend legal proceedings for an infringement of data protection law under EU Member State law as now foreseen in Art. 82 (2) of the General Data Protection Regulation ("GDPR").
  • A website operator embedding a third party plugin on its website, which causes the collection and transmission of the users' personal data to the plugin service provider, is considered a controller of that data.
  • Embedding the plugin enables the processing of the user's personal data by the plugin service provider. Therefore, the website operator determines the purposes and means of the collection and transmission of the user's personal data jointly with the plugin service provider.
  • Users must be informed about the processing of their data at the time of collection, and processing must be based on a legal justification (i.e., prior consent). However, the responsibility of the website operator, including its information obligation and its obligation to ensure a legal basis for the processing, is limited to those processing operations for which the website operator effectively codecides on the means and purposes of the processing of the personal data. In the case at hand (and in many parallel cases), this is limited to the collection and disclosure by transmission of the user's personal data to the plugin service provider.
  • In practice it remains to be seen how the website operator and the plugin service provider will implement their respective obligations to provide notice to users via their privacy policy and (where necessary) obtain users' consent. Social media providers offering plugins may push to make this a responsibility of the website operator in the joint-controller agreement governing the implementation and use of the social plugin.
  • Where the processing of personal data does not require the consent of the user, but can be based on legitimate interest, both the website operator as well as the plugin service provider (as joint controllers) have to pursue a legitimate interest, which has to be balanced against the rights and freedoms of the user.

Key Takeaways

  1. Website operators and social plugin service providers are considered joint controllers for the collection and disclosure by transmission of personal data through the embedded social plugin.
  2. The responsibility of website operators is limited to those processing operations for which the website operator effectively codecides on the means and purposes of the processing of the personal data. This will regularly concern the collection and disclosure by transmission of the personal data through the social plugin.
  3. Website operators (in respect of operations for which they are (joint) controllers) will have to ensure that by updating their privacy policies, users are provided with appropriate notice.
  4. The processing is based on a legal justification under the GDPR, in many cases the consent of the user (which will practically require the inclusion of the plugin into the website cookie consent tool).
  5. A joint controller agreement is entered into with the social plugin service provider to address responsibility for compliance and in particular liability issues.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.