Thumbs up – A company that embeds the Like button on its website can be considered a data controller jointly with Facebook
Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV (Case C-40/17) EU:C:2019:629
The Court of Justice of the European Union (“ECJ”) has ruled that companies that embed the Facebook “Like” button (the “Like button”) within their website pages can be considered as a joint data controller within the meaning of the General Data Protection Regulation (“GDPR”), alongside Facebook, in respect of the collection and transmission to Facebook of the personal data concerned.
The case facts
In 2015, German consumer protection body, Verbraucherzentrale, took action against German online fashion retailer, Fashion ID, for breaching personal data protection rules for its use of the Like button on its site.
Through the embedded Like button, the personal data of every visitor to Fashion ID’s website was transmitted to Facebook Ireland (the data controller for Facebook’s European users). The transmission was without their knowledge and regardless of whether or not the visitor clicked on the button or was a Facebook member. Verbraucherzentrale brought legal proceedings for an injunction to force Fashion ID to stop that practice.
As part of its request for preliminary ruling, the Higher Regional Court of Dusseldorf asked the ECJ to explain whether Fashion ID, as the operator of its website that inserted the Like button, may be a controller of personal data within the meaning of Article 2(d) of the Data Protection Directive (95/46) (the “Directive”). Since the date of the facts in the dispute, the GDPR has replaced the Directive.
The ECJ ruling
On 29 July 2019, the ECJ handed down its ruling that, in respect of activities taking place before the personal data is transmitted, i.e. the collection and disclosure (by means of transmission to Facebook Ireland), Fashion ID might be considered as a controller jointly with Facebook.
The ECJ considered Fashion ID had consented, at least implicitly, to the collection and disclosure of the personal data of visitors by embedding the Like button in order to benefit from the commercial advantage consisting in increased publicity for its goods. The ECJ found that both companies could determine the purpose of the data processing and the way the data is processed.
However, it found that an operator of a website, such as Fashion ID, that embeds on that website a social plugin such as the Like button cannot be considered a data controller for any subsequent processing, i.e. after the data has been transmitted to Facebook Ireland.
This decision is in line with strict data privacy laws adopted by the European Union last year. It is also in keeping with previous ECJ authority on the privacy responsibilities of companies in respect of their platforms. In 2018, the ECJ took a broad view of the Directive and ruled that both fan page administrators and host platforms could be data controllers jointly responsible with Facebook Ireland for the processing of that data (Case C‑210/16). That said, the ECJ has made it clear that existence of joint liability does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data (Case C-25/17).
Implications of the ECJ’s decision
The impact of this decision is likely to be widely felt. According to Facebook, in the period between April 9 2018 and April 16 2018 the Like button had appeared on 8.4 million websites, while its “Share” button appeared on 931,000 sites.
The decision means companies which embed the Like button, or similar social plug-ins, are exposed to the risk of non-compliance with certain GDPR requirements. Such companies must either obtain informed consent from site visitors prior to transferring data to Facebook, or be able to demonstrate a legitimate interest legal basis for processing this data. The ECJ ruling is likely to apply to other similar social plug-ins, deployed by other rival tech giants, such as Twitter and LinkedIn.
Companies that fail to comply with the GDPR face tough potential penalties, including fines of up to 20 million EUR or up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is highest).
Facebook may alter their Like button following the ruling. Jack Gilbert, Facebook’s associate general counsel gave the following statement, “we are carefully reviewing the court’s decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law.”
To read the full judgment see here.
For more information please contact Tessa Newman on +44 (0)20 7203 8843 or at Tessa.Newman@crsblaw.com.
Sponsor Licence Compliance: Key considerations & how to be audit ready
Join us for the third in our series of mini webinars on post Brexit immigration about sponsor licence compliance.
The Future of Property Careers
Join to our panel discussion and Q&A with industry leaders on the range of opportunities within the property and construction sector.
New tax on property developers - consultation paper published
The government published a consultation paper on the design of the new residential property developers tax.
Procuring modular housing: Is MMC becoming mainstream?
Is Modern Methods of Construction becoming mainstream? Read what it means for Development and Procurement here.
Dual class share structures: how do they work and what are the pros and cons?
Dual class share structures allow a shareholder, for example the founder, to retain voting control over a company.
Q&A: Talking the telecoms talk
Georgina Muskett and Jonathan Wills answer queries on Electronic Communications Code agreement.
Property Patter: Navigating the complexities of Pharmacy Property
Pharmacy property is a specialist area which contains many traps for the unwary.
COVID-19 Vaccination – can an employer make it compulsory for employees?
We review what legal issues to take into account when considering to make vaccination compulsory as an employer.
Music to our ears? Well, perhaps not for Apple.
A feud first began when the music streaming giant, Spotify, filed a complaint against music streaming provide rand competitor, Apple Inc.
Linking ESG and Executive Pay
How does a business go about embedding a focus on strong ESG performance into the structures and culture of its organisation?
National Security and Investment Act granted Royal Assent
The Act establishes a new regime for the review of mergers, acquisitions and other transactions that could threaten national security.
Recent Trends In Firewall Legislation: BVI, Bermuda And Gibraltar
Charles Russell Speechlys advises Waverton on acquisition of Cornerstone Asset Management
Established in July 2010 and with offices in Edinburgh and Glasgow, Cornerstone offers wealth management and financial planning advice.
What do the new Debt Respite Scheme Regulations mean for Landlords and Tenants?
This will provide legal protection from creditors in the form of either a breathing space or a mental health crisis moratorium.
Charles Russell Speechlys promotes five to Partner
The promotions are effective 1 May 2021 and are accompanied by one Legal Director and 15 Senior Associate promotions.
Risk allocation in commercial leases: the High Court considers rent suspension, insurance and frustration arguments
Read our summary of the full judgement on the latest Covid arrears case.
Charles Russell Speechlys boosts private wealth offering with the hire of an international tax team
Robert Reymond will be joined at the firm by Leigh Nicoll, Emma Tyrrell and Oliver Cooper.
Proposed Takeover Code Amendments – Key Changes
The Consultation Paper has now been followed by a corresponding response paper which made certain modifications to the initial proposals.
Competition and Markets Authority announces review of the EU vertical agreements block exemption
The UK Competition and Markets Authority is reviewing the future application of the EU vertical agreements block exemption in the UK.
Playing Copycat – Why have M&S begun legal action against Aldi over Colin the Caterpillar?
M&S’s chocolate caterpillar was the first of its kind to land on our supermarket shelves, over 30 years ago.