CJEU rules that embedding Facebook “like” buttons could mean website owner is a joint data controller

July 30, 2019

The Court of Justice of the European Union has ruled in Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW C-40/17 that an operator of a website that features a Facebook ‘like’ button can be a controller jointly with Facebook in relation to the collection and transmission to Facebook of the personal data of visitors to its website.

In contrast, the website operator is not, in principle, a controller in relation to the subsequent processing of the personal information that Facebook carries out alone.

Fashion ID is a German online retailer. It embedded Facebook’s ‘like’ button on its website. As a result, when a user goes onto Fashion ID’s website, information about that user’s IP address and browser string is transferred to Facebook. The transfer of personal information happens automatically when Fashion ID’s website is loaded, whether or not the user clicks the button or has a Facebook account. 

Verbraucherzentrale NRW, a German consumer association, brought legal proceedings for an injunction against Fashion ID on the grounds that the use of the Facebook like button results in a breach of Directive 95/46/EC (which has now been superseded by the General Data Protection Regulation (EU) 2016/679). 

The case was referred to the Court of Justice of the European Union.

In late 2018, the Advocate General issued an opinion stating that the operator of a website who embeds a third party plugin, such as the Facebook like button, and which collects and transmits of a user’s personal data, is jointly responsible for that stage of the data processing.

The Court has now made its ruling and concluded that:

  • the former Data Protection Directive 95/46/EC does not preclude consumer-protection associations from bringing or defending legal proceedings against a person allegedly responsible for an infringement of the protection of personal data. The Court noted that the new General Data Protection Regulation (EU) 2016/679 now expressly provides for this possibility
  • that it appeared that Fashion ID could not be considered to be a controller regarding the operations involving data processing carried out by Facebook Ireland after the personal information had been transmitted to Facebook Ireland. It seemed, at the outset, impossible that Fashion ID determines the purposes and means of those operations.

By contrast, Fashion ID could be considered a joint controller, with Facebook Ireland, when collecting and disclosing by transmission the personal data at issue, since it could be concluded (subject to the investigations that the German referring court needs to carry out) that Fashion ID and Facebook Ireland determine jointly the means and purposes of those operations.

Fashion ID’s embedding of the Facebook ‘like’ button allowed it to optimise the publicity for its goods by making them more visible on the Facebook social network when a visitor to its website clicks on that button. The reason why Fashion ID seems to have consented, at least implicitly, to the collection and disclosure by transmission of the personal data of visitors to its website by embedding such a button on its website was to benefit from that commercial advantage. Therefore, those processing operations appeared to be performed in the economic interests both of Fashion ID and of Facebook Ireland, for whom the fact that it could use the personal data for its own commercial purposes constituted the consideration for the benefit to Fashion ID.

The Court clarified that the website operator such as Fashion ID, as a (joint) controller of visitor data to its website must provide, at the time of collection, certain information to those visitors such as its identity and the purposes of the processing.

The Court also provided guidance on two of the six situations in which the processing of personal data can be considered lawful. Therefore, where the data subject has given his or her consent, the Court ruled that a website operator such as Fashion ID must obtain that prior consent (solely) for operations for which it is the (joint) controller, namely the collection and transmission of the data.

As for legitimate interests, the Court ruled that each of the (joint) controllers, namely the operator of a website and the provider of a social plugin, must pursue a legitimate interest through the collection and transmission of personal data for those operations to be justifiable.