(LUXEMBOURG) – A website displaying Facebook’s ‘Like’ button, which processes users’ personal data, becomes jointly liable for collection and transmission of the data to Facebook, the EU’s top Court ruled Monday.
However, that website operator is not, in principle, a controller in respect of the subsequent processing of those data carried out by Facebook alone.
The case concerned German online clothing retailer Fashion ID, which embedded on its website the Facebook ‘Like’ button. The consequence of embedding that button appears to be that when a visitor consults the website of Fashion ID, that visitor’s personal data are transmitted to Facebook Ireland. It seems that that transmission occurs without that visitor being aware of it and regardless of whether or not he or she is a member of the social network Facebook or has clicked on the ‘Like’ button.
Verbraucherzentrale NRW, a German public-service association tasked with safeguarding the interests of consumers, criticises Fashion ID for transmitting to Facebook Ireland personal data of visitors to its website, first, without their consent and, second, in breach of the duties to inform set out in the provisions relating to the protection of personal data.
The Düsseldorf regional court requested the EU Court of Justice interpret several provisions of the former Data Protection Directive of 1995 (which remains applicable to this case, but has now been replaced by the new General Data Protection Regulation of 2016 with effect from 25 May 2018).
In its judgment, the Court has found, first, that the former Data Protection Directive does not preclude consumer-protection associations from being granted the right to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data. The Court notes that the new General Data Protection Regulation now expressly provides for this possibility.
The Court also held, second, that it appears that Fashion ID cannot be considered to be a controller in respect of the operations involving data processing carried out by Facebook Ireland after those data have been transmitted to the latter. It seems, at the outset, impossible that Fashion ID determines the purposes and means of those operations. By contrast, Fashion ID can be considered to be a controller jointly with Facebook Ireland in respect of the operations involving the collection and disclosure by transmission to Facebook Ireland of the data at issue, since it can be concluded (subject to the investigations that it is for the Oberlandesgericht Düsseldorf to carry out) that Fashion ID and Facebook Ireland determine jointly the means and purposes of those operations.
It appears, inter alia, that Fashion ID’s embedding of the Facebook ‘Like’ button on its website allows it to optimise the publicity for its goods by making them more visible on the Facebook social network when a visitor to its website clicks on that button. The reason why Fashion ID seems to have consented, at least implicitly, to the collection and disclosure by transmission of the personal data of visitors to its website by embedding such a button on its website is in order to benefit from that commercial advantage. Thus, those processing operations appear to be performed in the economic interests both of Fashion ID and of Facebook Ireland, for whom the fact that it can use those data for its own commercial purposes constitutes the consideration for the benefit to Fashion ID.
The Court makes clear that the operator of a website such as Fashion ID, as a (joint) controller in respect of certain operations involving the processing of the data of visitors to its website, such as the collection of those data and their transmission to Facebook Ireland, must provide, at the time of their collection, certain information to those visitors such as, for example, its identity and the purposes of the processing.
The Court has also provided further information in respect of two of the six cases provided for in the directive in which the processing of personal data can be considered lawful.
Thus, with regard to the case in which the data subject has given his or her consent, the Court holds that the operator of a website such as Fashion ID must obtain that prior consent (solely) in respect of operations for which it is the (joint) controller, namely the collection and transmission of the data.
With regard to the cases in which the processing of data is necessary for the purposes of a legitimate interest, the Court finds that each of the (joint) controllers, namely the operator of a website and the provider of a social plugin, must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in that regard.
Judgment in Case C-40/17 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV