Thumbs up – A company that embeds the Like button on its website can be considered a data controller jointly with Facebook
Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV (Case C-40/17) EU:C:2019:629
The Court of Justice of the European Union (“ECJ”) has ruled that companies that embed the Facebook “Like” button (the “Like button”) within their website pages can be considered as a joint data controller within the meaning of the General Data Protection Regulation (“GDPR”), alongside Facebook, in respect of the collection and transmission to Facebook of the personal data concerned.
The case facts
In 2015, German consumer protection body, Verbraucherzentrale, took action against German online fashion retailer, Fashion ID, for breaching personal data protection rules for its use of the Like button on its site.
Through the embedded Like button, the personal data of every visitor to Fashion ID’s website was transmitted to Facebook Ireland (the data controller for Facebook’s European users). The transmission was without their knowledge and regardless of whether or not the visitor clicked on the button or was a Facebook member. Verbraucherzentrale brought legal proceedings for an injunction to force Fashion ID to stop that practice.
As part of its request for preliminary ruling, the Higher Regional Court of Dusseldorf asked the ECJ to explain whether Fashion ID, as the operator of its website that inserted the Like button, may be a controller of personal data within the meaning of Article 2(d) of the Data Protection Directive (95/46) (the “Directive”). Since the date of the facts in the dispute, the GDPR has replaced the Directive.
The ECJ ruling
On 29 July 2019, the ECJ handed down its ruling that, in respect of activities taking place before the personal data is transmitted, i.e. the collection and disclosure (by means of transmission to Facebook Ireland), Fashion ID might be considered as a controller jointly with Facebook.
The ECJ considered Fashion ID had consented, at least implicitly, to the collection and disclosure of the personal data of visitors by embedding the Like button in order to benefit from the commercial advantage consisting in increased publicity for its goods. The ECJ found that both companies could determine the purpose of the data processing and the way the data is processed.
However, it found that an operator of a website, such as Fashion ID, that embeds on that website a social plugin such as the Like button cannot be considered a data controller for any subsequent processing, i.e. after the data has been transmitted to Facebook Ireland.
This decision is in line with strict data privacy laws adopted by the European Union last year. It is also in keeping with previous ECJ authority on the privacy responsibilities of companies in respect of their platforms. In 2018, the ECJ took a broad view of the Directive and ruled that both fan page administrators and host platforms could be data controllers jointly responsible with Facebook Ireland for the processing of that data (Case C‑210/16). That said, the ECJ has made it clear that existence of joint liability does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data (Case C-25/17).
Implications of the ECJ’s decision
The impact of this decision is likely to be widely felt. According to Facebook, in the period between April 9 2018 and April 16 2018 the Like button had appeared on 8.4 million websites, while its “Share” button appeared on 931,000 sites.
The decision means companies which embed the Like button, or similar social plug-ins, are exposed to the risk of non-compliance with certain GDPR requirements. Such companies must either obtain informed consent from site visitors prior to transferring data to Facebook, or be able to demonstrate a legitimate interest legal basis for processing this data. The ECJ ruling is likely to apply to other similar social plug-ins, deployed by other rival tech giants, such as Twitter and LinkedIn.
Companies that fail to comply with the GDPR face tough potential penalties, including fines of up to 20 million EUR or up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is highest).
Facebook may alter their Like button following the ruling. Jack Gilbert, Facebook’s associate general counsel gave the following statement, “we are carefully reviewing the court’s decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law.”
To read the full judgment see here.
For more information please contact Tessa Newman on +44 (0)20 7203 8843 or at Tessa.Newman@crsblaw.com.
Our thinking
IBA Annual Conference
The IBA heads to Miami for its 2022 Annual Conference bringing together thousands hundreds of lawyers from around the world.
Martin Wright
Joint Venture Opportunities
Join our panel where we will discuss various topics including Joint Venture structuring and Partner procurement.
Julia Cox
Mind your business: Safeguarding your business against loss of mental capacity
Practical considerations to safeguard your business against loss of mental capacity.
Sarah Anticoni
FT Wealth quotes Sarah Anticoni on forum shopping
"Being the first to file for divorce is not a foolproof way of securing an English hearing"
Louise Ward
What can UK investors interested in Life Sciences learn from their more experienced, including US, counterparts?
The recent tie-up between Canary Wharf and Kadans demonstrates the enthusiasm to access the lucrative UK life sciences market.
Helen Coward
Helen Coward writes for Tax Journal on the main purpose test for SDLT group relief
Mainly ignored? The main purpose test for SDLT group relief
Patricia Nathan-Amissah
The Ayes have it - Collateral Warranties can be a ‘Construction Contract’
The Court of Appeal handed down its judgment in the case of Abbey Healthcare (Mill Hill) Limited v Simply Construct (UK) LLP
Andrew Collins
Charles Russell Speechlys advises Caretech Holdings PLC on its proposed £870.3 million take private
Charles Russell Speechlys is advising the independent board of Caretech Holdings PLC, in its take private sale to Amalfi Bidco Limited.
Jonathan Morley
Charles Russell Speechlys advising Battery Ventures on the sale of SPT Labtech for £650 million.
Battery Ventures has raised over $9 billion to invest in software and services, enterprise infrastructure, and much more around the world.
Sarah Farrelly
Windrush Day 2022 – supporting access to justice
Charles Russell Speechlys is proud to continue supporting survivors of the Windrush scandal in their fight for justice.
Laura Bushaway
The Leasehold Reform (Ground Rent) Act 2022: Landlords and developers beware serious sanctions for non-compliance
The Leasehold Reform (Ground Rent) Act 2022 received Royal Assent on 8 February 2022 and will come into force on 30 June 2022.
Emma Preece
EG quotes Emma Preece on the Picturehouse and BNY Mellon rent arrears cases
“The case is being closely watched by landlords and tenants alike as the impact of the pandemic lives on in the commercial property sector”
David Coates
Charles Russell Speechlys has advised long-standing client Stonegate on a series A investment into Peckwater Brands
Stonegate is one of the largest pub companies in the UK with a rich portfolio that covers over 4,500 sites.
Sarah Farrelly
Pro bono support for major office premises move for charity in Stoke-on-Trent
Emmaus entities provide safe homes, community support and meaningful work to formerly homeless people across the UK.
Rachel Warren
Financier Worldwide quotes Rachel Warren on the UK’s Economic Crime Act
Evaluating the UK’s Economic Crime Act
Felicity Chapman
Julia Cox and Felicity Chapman write for International Adviser on the rise of pre-nups in the UK
Julia Cox and Felicity Chapman write for International Adviser on the rise of pre-nups
Samuel Lear
Property Patter: Reasonable Endeavours
What does it mean to use ‘best’, ‘all’ or ‘reasonable’ endeavours?
Rose Carey
Could the UK’s Life Sciences Vision be restricted by its Immigration Policy?
We explore some of the visa options that may be open to businesses in the sector and their relative pros and cons.
Grégoire Uldry
New Swiss succession law on the transfer of businesses
On 10 June 2022, the Federal Council adopted its Message amending the Civil Code on the transfer of businesses by succession.
Joshua Green
Joshua Green writes for Spear's Magazine on Wagatha Christie’s lessons for HNWs
Wagatha Christie’s lessons for HNWs