Thumbs up – A company that embeds the Like button on its website can be considered a data controller jointly with Facebook
Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV (Case C-40/17) EU:C:2019:629
The Court of Justice of the European Union (“ECJ”) has ruled that companies that embed the Facebook “Like” button (the “Like button”) within their website pages can be considered as a joint data controller within the meaning of the General Data Protection Regulation (“GDPR”), alongside Facebook, in respect of the collection and transmission to Facebook of the personal data concerned.
The case facts
In 2015, German consumer protection body, Verbraucherzentrale, took action against German online fashion retailer, Fashion ID, for breaching personal data protection rules for its use of the Like button on its site.
Through the embedded Like button, the personal data of every visitor to Fashion ID’s website was transmitted to Facebook Ireland (the data controller for Facebook’s European users). The transmission was without their knowledge and regardless of whether or not the visitor clicked on the button or was a Facebook member. Verbraucherzentrale brought legal proceedings for an injunction to force Fashion ID to stop that practice.
As part of its request for preliminary ruling, the Higher Regional Court of Dusseldorf asked the ECJ to explain whether Fashion ID, as the operator of its website that inserted the Like button, may be a controller of personal data within the meaning of Article 2(d) of the Data Protection Directive (95/46) (the “Directive”). Since the date of the facts in the dispute, the GDPR has replaced the Directive.
The ECJ ruling
On 29 July 2019, the ECJ handed down its ruling that, in respect of activities taking place before the personal data is transmitted, i.e. the collection and disclosure (by means of transmission to Facebook Ireland), Fashion ID might be considered as a controller jointly with Facebook.
The ECJ considered Fashion ID had consented, at least implicitly, to the collection and disclosure of the personal data of visitors by embedding the Like button in order to benefit from the commercial advantage consisting in increased publicity for its goods. The ECJ found that both companies could determine the purpose of the data processing and the way the data is processed.
However, it found that an operator of a website, such as Fashion ID, that embeds on that website a social plugin such as the Like button cannot be considered a data controller for any subsequent processing, i.e. after the data has been transmitted to Facebook Ireland.
This decision is in line with strict data privacy laws adopted by the European Union last year. It is also in keeping with previous ECJ authority on the privacy responsibilities of companies in respect of their platforms. In 2018, the ECJ took a broad view of the Directive and ruled that both fan page administrators and host platforms could be data controllers jointly responsible with Facebook Ireland for the processing of that data (Case C‑210/16). That said, the ECJ has made it clear that existence of joint liability does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data (Case C-25/17).
Implications of the ECJ’s decision
The impact of this decision is likely to be widely felt. According to Facebook, in the period between April 9 2018 and April 16 2018 the Like button had appeared on 8.4 million websites, while its “Share” button appeared on 931,000 sites.
The decision means companies which embed the Like button, or similar social plug-ins, are exposed to the risk of non-compliance with certain GDPR requirements. Such companies must either obtain informed consent from site visitors prior to transferring data to Facebook, or be able to demonstrate a legitimate interest legal basis for processing this data. The ECJ ruling is likely to apply to other similar social plug-ins, deployed by other rival tech giants, such as Twitter and LinkedIn.
Companies that fail to comply with the GDPR face tough potential penalties, including fines of up to 20 million EUR or up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is highest).
Facebook may alter their Like button following the ruling. Jack Gilbert, Facebook’s associate general counsel gave the following statement, “we are carefully reviewing the court’s decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law.”
To read the full judgment see here.
For more information please contact Tessa Newman on +44 (0)20 7203 8843 or at Tessa.Newman@crsblaw.com.
Residential property developer tax: Draft legislation published and technical consultation launched
While a number of important issues have been addressed in the legislation, there is still a lot outstanding.
Strategic Planning for Modern Landed Estates
The second in our series of articles on succession planning for landed estates covering a wide variety of matters.
When can you set off claims against different elements of a project
The Court’s decision raises important drafting considerations for construction contracts involving multiple elements of a project.
Drafting terms and conditions or negotiating a contract? Be wary of "unusual" and "exorbitant" exclusion clauses
When drafting a set of terms and conditions, companies must adhere to the requirements contained in the Unfair Contract Terms Act 1977
Stop, collaborate and listen: Top 10 Tips with Collaboration Agreements
Providing you with the top ten tips on collaboration agreements - what should you know?
Fiona Edmond and Mark Smith write for Property Week on data centres as an infrastructure asset class
The complexity of operational issues is something those new to the sector may not anticipate and interest is likely to increase.
Preparing your company for sale
We set out here some initial steps to consider in anticipation of a sale.
ESG investment and the challenges for trustees
What challenges does the ESG revolution present for trustees of private family trusts?
The impact of COVID-19 on commercial and residential tenancies
What impact has COVID-19 had on commercial and residential tenancies? Read more here.
Charles Russell Speechlys advises discoverIE on its acquisition of Antenova
discoverIE is a leading international designer, manufacturer and supplier of customised electronics to industry.
Q&A: Separate blocks, common parts and enfranchisement
Miriam Seitler and Lauren Fraser answer queries relating to leaseholders seeking to acquire the freehold.
Coded messages for landlords and tenants
“What does the code of practice mean for landlords and tenants? Read more here”
The family court’s role in micro managing 'trivial' disputes
The recent decision has dealt with the family court’s role in micro managing “trivial” disputes in relation to children
Gareth Mills writes for Lexology Getting The Deal Through on technology disputes in Bahrain
The most common disputes occur following perceived or actual failures to deliver required technology services an lack of clarity.
Taxing horizons and fiscal black holes
A super-massive black hole at the centre of the nation’s finances means that tax reform and rates rises look increasingly likely.
Charles Russell Speechlys advises Acora on acquisition of Westgate IT
Westgate IT specialises in providing IT support to businesses in the South West.
Jason Saiban writes for Food Manufacture on the food industry's climate change challenge
The key challenge will be how the environmental targets are actually met.
Q&A: Wrestling with restrictive covenants
Camilla Lamont (barrister at Landmark Chambers) and Real Estate Disputes Partner Emma Humphreys answer a pair of covenant queries
Grab the tail by the horns - Why is tail spend so critical in today’s outsourced portfolio?
It’s usually invisible, but in all likelihood, you’ve got tail spend.
eCommerce and the Post-Brexit State of Play
Key UK and EU legislation governing how online platforms deal with consumers and their business users.