The Court of Justice of the European Union (CJEU) has ruled that website operators incorporating third party plugins such as Facebook’s “Like” button can be joint controllers for the purposes of Data Protection law.
Background
Verbraucherzentrale NRW eV, a German public service consumer rights association, brought an action against an online clothing retailer (Fashion ID) over concerns that its use of the Facebook “Like” button on its website was in breach of data protection law.
The “Like” button allows visitors to a website to directly “Like” or share the relevant page on Facebook. When a person’s browser encounters the button it automatically transmits the user’s IP address and other data to Facebook to populate the plugin, regardless of whether or not they have a Facebook account or have even clicked the “Like” button. The website operator cannot control what data the browser transmits or what Facebook does with that data.
The higher German court requested a preliminary ruling from the CJEU for an answer to whether the website operator is a controller for the purposes of the Data Protection Directive, which has since been replaced by the General Data Protection Regulation (GDPR).
Joint controller
The CJEU found that by embedding the “Like” button on its website, Fashion ID had made it possible for Facebook to obtain the personal data of visitors to its website. As Fashion ID was capable of determining the purposes and means of this data processing, it was found to be a controller, jointly with Facebook, in respect of the collection and disclosing of its customers’ personal data.
Important to the decision was the awareness on Fashion ID’s part as to the transmitting of personal data to Facebook, as well as the obvious commercial advantage gained from increasing the visibility of their goods on the social network. However, the CJEU stopped short of finding Fashion ID solely liable by acknowledging that it cannot be regarded as a controller of any data that was subsequently processed by Facebook.
Comment
This ruling follows the recent trend in case law of finding a low threshold for joint controllership of personal data, especially as it has reiterated that a party can still be deemed a joint controller of data to which it has no access.
Businesses should be aware that by incorporating third party plugins on their website they may be deemed to be a joint controller of personal data under the GDPR. As such they will need to comply with additional obligations such as providing certain information (including their identity and the purposes of the processing) to visitors to their website at the time of the data collection. Joint controllers may also be subject to a greater risk of liability as a regulator can take enforcement action and impose fines for the breach of any obligations under the GDPR, even if the responsibility for compliance has been contractually allocated to the other controller. In addition, data subjects may bring compensation claims for damage suffered, even if responsibility for the damage lies with the other joint controller.
Businesses should therefore be keenly aware of their obligations under the GDPR and ensure their ongoing compliance, particularly when processing any personal data with a third party for a similar purpose.