ECJ: Website operators using the Facebook “Like” button are joint controllers with Facebook
Fashion ID, a German online clothing retailer, had placed the Facebook "Like" button on its website. By means of this button, personal data (IP addresses and browner data) of each visitor of the Fashion ID website was automatically transmitted to Facebook Ireland (European HQ of Facebook). This transmission took place irrespective of whether or not the website visitor was a Facebook member or whether they had actually clicked on the "Like" button.
The German consumer protection organisation Verbraucherzentrale NRW brought legal proceedings for an injunction against Fashion ID on the ground that the use of the Facebook “Like” button resulted in a breach of the Directive 95/46/EC (which has now been superseded by the General Data Protection Regulation (EU) 2016/679), GDPR). The case was referred to the European Court of Justice (ECJ) by the German Higher Regional Court for a preliminary ruling.
On 29 July 2019, the ECJ ruled that Fashion ID and Facebook Ireland are joint controllers with respect to the collection and disclosure by transmission of the website users’ personal data to Facebook Ireland (Case C 40/17). In its ruling, the ECJ takes a granular approach and points out that, with respect to the subsequent processing of personal data by Facebook Ireland (after the transmission), Facebook Ireland is to be regarded the sole controller. The ECJ furthermore ruled that joint controllers should each pursue a legitimate interest (or have another legal basis) for their processing activities in order to justify them. The ECJ also emphasized that it is the responsibility of the website operator to inform its visitors about its (own) processing activities with regard to the social plugin, and to obtain their consent where necessary, since it is the fact that the visitor consults that website that triggers the processing of the personal data.
Implications of the case
The ECJ’s judgement is yet another confirmation that the concept of joint controllership should be interpreted broadly. The judgement fits well in line with the ECJ’s previous rulings on joint controllership (e.g. Wirtschaftsakademie Schleswig Holstein (C-210/16) and Jehovan todistajat (C-25/17)).Important take-aways are the following:
- Website operators using social plugins, such as the Facebook "Like" button, will have to enter into a joint controller agreement with the social plugin provider. This agreement should specify the respective responsibilities and obligations of both parties under the GDPR, and should (advisably) also addresses liability aspects;
- Website operators will have to update their privacy policies to adequately inform visitors about (i) the processing of their data in relation to the plugin(s) and (ii) the essence of the arrangement (the joint controller agreement) with the social plugin provider(s);
- Website operators will need to ensure that they rely on a legal basis when processing personal data in relation to the plugin. In practice, this will often require the prior consent of its website visitors (for example by using/updating a cookie consent tool).