In Short
The Situation: Fashion ID, a German online clothing retailer, embedded on its website the Facebook "Like" button. When a user consults the website of Fashion ID, that user's personal data are transmitted to Facebook Ireland. The transmission occurs regardless of whether the user is a Facebook member or has clicked on the "Like" button.
The Result: On July 29, 2019, the European Court of Justice ("ECJ") ruled (Case C 40/17), following the Opinion of the Advocate General Bobek of December 2018, that Fashion ID and Facebook Ireland are joint controllers with regard to the operations involving the collection and disclosure by transmission to Facebook Ireland. However, Facebook Ireland is the sole controller regarding its processing after such transmission.
Looking Ahead: Besides updating their privacy policies, website operators that use social plugins, such as the Facebook "Like" button, will be required to ensure a legal basis for processing (this will regularly require obtaining consent from users, for example, via a cookie consent tool) and providing appropriate notice to users prior to collecting and transmitting personal data to the social media provider offering the plugin. Additionally, website operators and social media providers will be required to enter into a joint-controller agreement.
Key Facts of the Decisions
-
Consumer-protection associations may be granted the right to bring or defend legal proceedings for an infringement of data protection law under EU Member State law as now foreseen in Art. 82 (2) of the General Data Protection Regulation ("GDPR").
-
A website operator embedding a third party plugin on its website, which causes the collection and transmission of the users' personal data to the plugin service provider, is considered a controller of that data.
-
Embedding the plugin enables the processing of the user's personal data by the plugin service provider. Therefore, the website operator determines the purposes and means of the collection and transmission of the user's personal data jointly with the plugin service provider.
-
Users must be informed about the processing of their data at the time of collection, and processing must be based on a legal justification (i.e., prior consent). However, the responsibility of the website operator, including its information obligation and its obligation to ensure a legal basis for the processing, is limited to those processing operations for which the website operator effectively codecides on the means and purposes of the processing of the personal data. In the case at hand (and in many parallel cases), this is limited to the collection and disclosure by transmission of the user's personal data to the plugin service provider.
-
In practice it remains to be seen how the website operator and the plugin service provider will implement their respective obligations to provide notice to users via their privacy policy and (where necessary) obtain users' consent. Social media providers offering plugins may push to make this a responsibility of the website operator in the joint-controller agreement governing the implementation and use of the social plugin.
-
Where the processing of personal data does not require the consent of the user, but can be based on legitimate interest, both the website operator as well as the plugin service provider (as joint controllers) have to pursue a legitimate interest, which has to be balanced against the rights and freedoms of the user.