You are here:
08 August 2019 / news

ECJ: Website operators using the Facebook “Like” button are joint controllers with Facebook

Fashion ID, a German online clothing retailer, had placed the Facebook "Like" button on its website. By means of this button, personal data (IP addresses and browner data) of each visitor of the Fashion ID website was automatically transmitted to Facebook Ireland (European HQ of Facebook). This transmission took place irrespective of whether or not the website visitor was a Facebook member or whether they had actually clicked on the "Like" button.

The German consumer protection organisation Verbraucherzentrale NRW brought legal proceedings for an injunction against Fashion ID on the ground that the use of the Facebook “Like” button resulted in a breach of the Directive 95/46/EC (which has now been superseded by the General Data Protection Regulation (EU) 2016/679), GDPR). The case was referred to the European Court of Justice (ECJ) by the German Higher Regional Court for a preliminary ruling.

ECJ

On 29 July 2019, the ECJ ruled that Fashion ID and Facebook Ireland are joint controllers with respect to the collection and disclosure by transmission of the website users’ personal data to Facebook Ireland (Case C 40/17). In its ruling, the ECJ takes a granular approach and points out that, with respect to the subsequent processing of personal data by Facebook Ireland (after the transmission), Facebook Ireland is to be regarded the sole controller. The ECJ furthermore ruled that joint controllers should each pursue a legitimate interest (or have another legal basis) for their processing activities in order to justify them. The ECJ also emphasized that it is the responsibility of the website operator to inform its visitors about its (own) processing activities with regard to the social plugin, and to obtain their consent where necessary, since it is the fact that the visitor consults that website that triggers the processing of the personal data.

Implications of the case

The ECJ’s judgement is yet another confirmation that the concept of joint controllership should be interpreted broadly. The judgement fits well in line with the ECJ’s previous rulings on joint controllership (e.g. Wirtschaftsakademie Schleswig Holstein (C-210/16) and Jehovan todistajat (C-25/17)).Important take-aways are the following:

  1. Website operators using social plugins, such as the Facebook "Like" button, will have to enter into a joint controller agreement with the social plugin provider. This agreement should specify the  respective responsibilities and obligations of both parties under the GDPR, and should (advisably) also addresses liability aspects;  
  2. Website operators will have to update their privacy policies to adequately inform visitors about (i) the processing of their data in relation to the plugin(s) and (ii) the essence of the arrangement (the joint controller agreement) with the social plugin provider(s);
  3. Website operators will need to ensure that they rely on a legal basis when processing personal data in relation to the plugin. In practice, this will often require the prior consent of its website visitors (for example by using/updating a cookie consent tool).
     

Full judgement available here. Please don’t hesitate to contact our Data Protection and Privacy Team in case of any questions.



Mobile phone and colours - digital initiative

Digital initiative in the medical world

Digital Health Network, created in September 2019, aims at developing a tool bringing digitalisation to the Luxembourg healthcare industry. read more

(Supervisory) directors’ liability: our 2019 update

The liability of directors of major organisations receives wide coverage in the press. Examples (in the Netherlands) are Imtech, HDI, FC Twente, Vestia, and... read more
Overview

District court grants EUR 250 for immaterial damages

District court grants EUR 250 for immaterial damages suffered due to breach with GDPR read more