14 August 2019

Thumbs up – A company that embeds the Like button on its website can be considered a data controller jointly with Facebook

Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV (Case C-40/17) EU:C:2019:629

The Court of Justice of the European Union (“ECJ”) has ruled that companies that embed the Facebook “Like” button (the “Like button”) within their website pages can be considered as a joint data controller within the meaning of the General Data Protection Regulation (“GDPR”), alongside Facebook, in respect of the collection and transmission to Facebook of the personal data concerned.

The case facts

In 2015, German consumer protection body, Verbraucherzentrale, took action against German online fashion retailer, Fashion ID, for breaching personal data protection rules for its use of the Like button on its site.

Through the embedded Like button, the personal data of every visitor to Fashion ID’s website was transmitted to Facebook Ireland (the data controller for Facebook’s European users). The transmission was without their knowledge and regardless of whether or not the visitor clicked on the button or was a Facebook member. Verbraucherzentrale brought legal proceedings for an injunction to force Fashion ID to stop that practice.

As part of its request for preliminary ruling, the Higher Regional Court of Dusseldorf asked the ECJ to explain whether Fashion ID, as the operator of its website that inserted the Like button, may be a controller of personal data within the meaning of Article 2(d) of the Data Protection Directive (95/46) (the “Directive”). Since the date of the facts in the dispute, the GDPR has replaced the Directive.

The ECJ ruling

On 29 July 2019, the ECJ handed down its ruling that, in respect of activities taking place before the personal data is transmitted, i.e. the collection and disclosure (by means of transmission to Facebook Ireland), Fashion ID might be considered as a controller jointly with Facebook.

The ECJ considered Fashion ID had consented, at least implicitly, to the collection and disclosure of the personal data of visitors by embedding the Like button in order to benefit from the commercial advantage consisting in increased publicity for its goods. The ECJ found that both companies could determine the purpose of the data processing and the way the data is processed.

However, it found that an operator of a website, such as Fashion ID, that embeds on that website a social plugin such as the Like button cannot be considered a data controller for any subsequent processing, i.e. after the data has been transmitted to Facebook Ireland.

This decision is in line with strict data privacy laws adopted by the European Union last year. It is also in keeping with previous ECJ authority on the privacy responsibilities of companies in respect of their platforms. In 2018, the ECJ took a broad view of the Directive and ruled that both fan page administrators and host platforms could be data controllers jointly responsible with Facebook Ireland for the processing of that data (Case C‑210/16). That said, the ECJ has made it clear that existence of joint liability does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data (Case C-25/17).

Implications of the ECJ’s decision

The impact of this decision is likely to be widely felt. According to Facebook, in the period between April 9 2018 and April 16 2018 the Like button had appeared on 8.4 million websites, while its “Share” button appeared on 931,000 sites.

The decision means companies which embed the Like button, or similar social plug-ins, are exposed to the risk of non-compliance with certain GDPR requirements. Such companies must either obtain informed consent from site visitors prior to transferring data to Facebook, or be able to demonstrate a legitimate interest legal basis for processing this data. The ECJ ruling is likely to apply to other similar social plug-ins, deployed by other rival tech giants, such as Twitter and LinkedIn.

Companies that fail to comply with the GDPR face tough potential penalties, including fines of up to 20 million EUR or up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is highest).

Facebook may alter their Like button following the ruling. Jack Gilbert, Facebook’s associate general counsel gave the following statement, “we are carefully reviewing the court’s decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law.”

To read the full judgment see here.

For more information please contact Tessa Newman on +44 (0)20 7203 8843 or at Tessa.Newman@crsblaw.com.

Insights Ayman Shehata 22 January, 2021

The Tech Entrepreneur’s Journey – Private Equity Buyouts

The third in a series of articles mapping out The Tech Entrepreneur’s Journey , this time exploring private equity buyouts.

Insights Niel Coertse 21 January, 2021

Conditional payment clauses in the UK and Middle East

Niel Coertse writes for Practical Law Construction on how conditional payment clauses help to prevent cash flow difficulties.

Insights Julia Cox 20 January, 2021

Mi casa es su casa: second homes and the shared ownership exemption

Estate agents across the UK are reporting a notable increase in the demand for second homes and holiday homes

Insights Paul Stone 20 January, 2021

Focus Antitrust

The latest edition of our regular competition law update

Our clients

Individuals and Families

Businesses

Major Corporates & Institutions

Browse our full range of sectors

Explore our News & Insights

Coronavirus (COVID-19) Insights and Information

Insights