In a recent judgement in Case C-40/17 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV the Court of Justice of the European Union (CJEU) handed down its ruling on 29 July 2019.
The main conclusion: Internet websites that embed a Facebook “Like” button can be controllers jointly with Facebook within the meaning of Article 26 of the General Data Protection Regulation.
FACTS OF THE CASE AND CONTEXT
German online clothing designer Fashion ID embedded a Facebook “Like” button on its website. The consequence of embedding the button on this particular website appears to be that every visitor’s personal data is transmitted to Facebook Ireland. Indeed, it is important to note that the data of every visitor, without their knowing it, and whether or not they have their own profile on the Facebook social network and whether or not they click on the “Like” button, were transmitted to Facebook Ireland.
Verbraucherzentrale NRW, a German public-service association, objected to Fashion ID’s action and criticised them for transmitting visitors’ personal data without their consent and for lack of provision of information.
The Higher Regional Court of Dusseldorf, Germany, requested the CJEU to explain whether Fashion ID as the operator of a website that inserted a social plug-in enabling collection of personal data may be considered to be a controller of personal data. However, this has no impact on how the transmitted data is processed by the provider of a plug-in.
Significantly, Facebook has been known for its automatic data collection and transfer from any site that implements the FB “Like” button – recently they have increased attention to that. This data collection and creation of “shadow profiles” has already been analysed in various legal and administrative processes and debates. At the same time, the amount of these buttons on websites is vast: in the period between 9 and 16 April 2018, the “Like” button appeared on 8.4 million websites.
THE COURT’S DECISION
The CJEU held that Fashion ID cannot be considered to be a controller involving data processing operations carried out by Facebook Ireland after the data have been received. At this moment, Fashion ID can no longer determine or influence the purpose of data processing and how it is done.
However, as to activities taking place before the data is transferred, ie, collecting them on the Fashion ID website and passing them to Facebook, Fashion ID might be considered as a controller jointly with Facebook. In this case, the purpose of the data processing and the way the data is processed can be determined by both companies.
The fact that it was also done in this case was concluded from the case materials of the CJEU. The Court pointed out that Fashion ID placed a Facebook Ireland button on its website, knowing that it could be used as a tool for collecting and transmitting personal data on the site. The Court added that Fashion ID (at least indirectly) agreed to such data processing in order to ensure greater publicity for marketing its products, ie, by acting in its economic interest.
Hence, in the opinion of the CJEU, the operator of a website such as Fashion ID, as a joint controller, must inform website visitors about data collection and data processing purposes:
- if the lawful basis for processing is the data subject’s consent, then the operator, before processing the data, must obtain the individual and unique consent of the data subject for collection and transfer of the specific data to Facebook;
- If data processing is based on legitimate interests, each of the joint controllers (ie, both the home site operator and the social plug-in provider) must have a legitimate interest in collecting and transmitting the data.
WHAT DOES IT MEAN FOR WEBSITE OPERATORS?
The arguments as to whether the “Like” button on a site is in the economic interest of a company are applicable to almost every site and business. Consequently, joint control would apply to any company operating for commercial purposes that places a “Like” button on its website, including, of course, Baltic and Belarusian traders. Besides, a “Like” button is not the only tool that triggers data transfer. Offering registration on your website via a social network login also involves data transfer.
Facebook has also indicated that other social networks, such as LinkedIn and Twitter, are using similar plug-ins, so they should also comply with the conclusions of the CJEU judgment. Hence, obligations also cover these and similar social networks.
This means that companies will need to significantly complement their privacy policies with information on the possible transfer of data to social networks.
It is unlikely to find legitimate interests of all sides in this particular case. That is why website operators should allocate resources to assess legitimate interests.
On the other hand, if the lawful basis of data processing is the consent of the data subject, only after such consent has been obtained would the site be allowed to use social network plug-ins. This means the obligation for website operators to obtain such consent, for example, by notification messages (similar to cookie consent messages). Operators also need to modify the plug-in operation to ensure that data is not sent to social networks before a question is received and an affirmative answer is submitted.
Facebook is expected to alter their “Like” button’s actions to comply with the ruling. However, it is unknown when this might happen.