The Court of Justice of the European Union, the EU’s highest court, has ruled that an operator of a website that features a Facebook ‘like’ button can be a data controller jointly with Facebook.
What happened?
The EU Court of Justice weighed in on a dispute after an online fashion retailer was accused of violating EU law by embedding a Like plugin. Fashion ID, a German online clothing retailer, embedded on its website the Facebook ‘Like’ button. The consequence of embedding that button appears to be that when a visitor consults the website of Fashion ID, that visitor’s personal data are transmitted to Facebook Ireland. It seems that that transmission occurs without that visitor being aware of it and regardless of whether or not he or she is a member of the social network Facebook or has clicked on the ‘Like’ button.
A German public-service consumer association criticised Fashion ID for transmitting to Facebook the personal data of visitors without their consent, and in breach of their information obligation to visitors regarding the use and disclosure of their data under the Directive.
Decision
The Court finds, first, that the former Data Protection Directive does not preclude consumer-protection associations from being granted the right to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data. The Court notes that the new General Data Protection Regulation now expressly provides for this possibility.
The Court found that Fashion ID cannot be considered to be a controller in respect of the operations involving data processing carried out by Facebook Ireland after those data have been transmitted to the latter. It seems, at the outset, impossible that Fashion ID determines the purposes and means of those operations. By contrast, Fashion ID can be considered to be a controller jointly with Facebook Ireland in respect of the operations involving the collection and disclosure by transmission to Facebook Ireland of the data at issue, since it can be concluded that Fashion ID and Facebook Ireland determine jointly the means and purposes of those operations. Overall, Facebook like button ECJ ruling concludes thats websites and Facebook share joint responsibility.
The Court has now made its ruling and concluded that:
- With regard to the case in which the data subject has given his or her consent, the Court holds that the operator of a website such as Fashion ID must obtain that prior consent (solely)in respect of operations for which it is the (joint) controller, namely the collection and transmission of the data.
- With regard to the cases in which the processing of data is necessary for the purposes of a legitimate interest, the Court finds that each of the (joint) controllers, namely the operator of a website and the provider of a social plugin, must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in respect of each of them.
According to Dr Bostjan Makarovic, Aphaia Managing Partner, “the Facebook like button ECJ decisions strikes a balance between data subject rights and the commercial realities of web giants’ operations. It is important that the responsibility of the website owner does not extend to further processing of the data by the social network. That said, the assessment of the legitimate interest of the social network in the initial operation might still pose a challenge. Such assessment would best be provided by the social network itself, as part of the standard joint controller arrangement.”