Member Article

 A website operator who has embedded a Facebook “like” button on its website qualifies as a “joint controller” together with Facebook and so can be held liable for the collection and transmission of data from the operator’s website visitors to Facebook. 

Background

Fashion ID is a German online clothing retailer. Its website contained the famous Facebook ‘Like’-button. This social plugin automatically collects and transmits certain personal data to the social network when a user visits the Fashion ID website. This meant that, amongst other things, IP addresses from website visitors were sent to Facebook without their knowledge, regardless of whether it concerned people with a Facebook account.

By using the ‘Like’-button, Fashion ID extended its visibility on the social network. Facebook, on its side, could also process the data for its own commercial purposes.

A German consumer protection association brought legal proceedings for an injunction against Fashion ID on the ground that the use of that plug-in resulted in a breach of data protection legislation.

A German court decided to refer several questions to the CJEU for further clarification about each actor’s respective roles and responsibilities.

Joint controllership between the website provider and Facebook…

In cases of embedded third-party content on a website, who bears responsibility and for what exactly? This was, in short, the underlying question to which the CJEU had to provide an answer in the “Fashion ID” case.

As a small reminder: this was not the first time (and will also probably not be the last) when the CJEU has had to take a position concerning the use of Facebook tools by other entities. In its “Facebook Fan Page” decision (C-210/16), the CJEU had already recognised that there is joint responsibility between the social network operator and the administrator of a fan page hosted on that network regarding the processing of the personal data of visitors to that fan page.

The Fashion ID decision follows the same reasoning. In addition, the CJEU has here ruled that Fashion ID and Facebook jointly qualify as “controller”. This is mainly because, on the one side, the data is processed by a common means, i.e. the use of Facebook’s plugin, and, on the other side, it serves the commercial purposes of both entities. According to the CJEU, the fact that Fashion ID would not have access to the personal data concerned is irrelevant.

…but only to a certain extent.

Does this mean that a website operator can be held liable for everything Facebook does with the data?

The CJEU’s response is a clear “no”.

The joint liability between Fashion ID and Facebook is limited to “the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue”. Thus, Fashion ID cannot be held responsible for any other processing that Facebook would do, before or after, receiving the data.

Obtaining consent and informing data subjects in a joint controllership situation

In a joint controllership situation, which entity must obtain consent and provide the necessary information to the data subject?

The CJEU has decided that it is Fashion ID’s responsibility to obtain the consent from the visitors as well as to provide the necessary information. This consent and information concerns only the set of processing operations for which Fashion ID is responsible. However, for the processing for which Facebook is the sole controller, Fashion ID does not have to inform the data subjects (i.e. its website visitors) or obtain any separate consent from them.

Finally, if the processing activities were to be based upon “legitimate interests” as a processing ground, then both Fashion ID and Facebook have to demonstrate their own legitimate interests for the processing that occurs.

Our thoughts

The CJEU has given a very broad interpretation to the notion of “joint controllership”. This will have ramifications for the GDPR obligations of both website operators as well as for the third-party content providers.

First, the GDPR imposes specific obligations upon joint controllers. This includes, amongst other things, making an agreement on their respective roles and responsibilities. The essence of such an arrangement should be made available to the data subjects.

Second, the foregoing will also affect the information obligation of the controller and, therefore, impact the content of the privacy policy, the cookie consent mechanism and the register of processing activities. A verification and modification of these documents will likely be required.

Finally, given the rather extensive interpretation of the CJEU decision, it remains to be seen in practice whether its impact will be limited to the use of social plugins only or if it will affect the legal analysis of various other processing operations that involve several entities using common means.