Facebook Like buttons and collection of personal data: who is the controller? Advocate General’s Opinion in Case C-40/17

December 21, 2018

Advocate General Michal Bobek has issued an opinion saying that the operator of a website embedding a third party plugin such as the Facebook Like button, which causes the collection and transmission of the users’ personal data, is jointly responsible for that stage of the data processing.

The operator of the website must provide the users with the required minimum information in relation to the data processing operations concerned, and obtain, where required, their consent before the personal information is collected and transferred.

The background to the case related to Fashion ID, a German online clothes retailer. It embedded Facebook’s ‘Like’ button on its website. As a result, when a user goes onto Fashion ID’s website, information about that user’s IP address and browser string is transferred to Facebook. The transfer of personal information happens automatically when Fashion ID’s website has loaded, whether or not the user has clicked on the Like button and whether or not they have a Facebook account.

Verbraucherzentrale NRW, a German consumer association, brought legal proceedings for an injunction against Fashion ID on the ground that the use of the Facebook Like button resulted in a breach of Directive 95/46/EC which has now been superseded by the General Data Protection Regulation (EU) 2016/679.

The case was referred to the Court of Justice of the European Union.

The Advocate General proposed that the Court of Justice of the European Union rule, first, that the Directive 95/46/EC does not preclude national legislation which grants public-service associations standing to commence legal proceedings against the alleged infringer of data protection legislation to safeguard the interests of consumers.

The Advocate General also suggested that under the Directive the operator of a website such as Fashion ID who has embedded on its website a third-party plugin such as the Facebook Like button, which leads to the collection and transmission of the user’s personal data, shall be considered to be a joint controller, along with such third party (here Facebook Ireland).

However, that controller’s (joint) responsibility should be limited to those operations for which it effectively co-decides on the means and purposes of the processing of the personal data.

With respect to the collection and transmission stage of the data processing, Fashion ID acts as a controller and its liability is, to that extent, joint with that of Facebook Ireland.

The Advocate General also proposed that the Court rule that the legitimate interests of both joint controllers in this case (Fashion ID and Facebook Ireland) have to be taken into account and balanced against the rights of the users of the website.

The Advocate General also said that the Court should rule that the consent of the website user, where required, has to be given to the operator of the website (in this case, Fashion ID) that has embedded the content of a third party. Likewise the obligation to provide the website user with the required minimum information applies to the operator of the website.