Executive Summary

At the beginning of 2017 the Higher Regional Court of Düsseldorf referred the question whether a website owner is indeed the responsible body from a civil and data protection law perspective to the European Court of Justice. The Court’s decision, which may be rendered by the end of this year, will have a fundamental impact on the assessment of the legality of social media plug-ins and “like” functions which have become standard features on most websites.

Background

In 2016 the District Court of Düsseldorf ruled against a retailer’s usage of the Facebook “like‑button” on its website (File No. 12 O 151/15).

The court ruled that website owners—who integrate social media plug-ins (like Facebook, LinkedIn, Twitter, or Google+) in their websites by way of integrated frames and programming codes provided by the relevant social media platform—are to be qualified as the accountable body from a data protection law perspective and as such legally responsible for any transfer of personal data (including dynamic IP addresses) to the relevant social media platform.

The court decided in favour of the North Rhine-Westphalia Consumer Association and decided that the website owner failed to obtain proper informed consent before transmitting its users’ online identities to Facebook, violating German data protection law, as a “mere link to a data protection statement at the foot of the website does not constitute an indication that data are being processed.” The criticism pursuant to data protection law is in particular that the data transfer takes place irrespective of whether the data subject even uses the “like-button” or not.

On top of that the court said that such a violation of German data protection law gave the retailer an unjustified commercial advantage and decided that the retailer also violated German competition law, facing a fine of up to EUR 250,000.

Referral to the European Court of Justice

The District Court’s decision was particularly interesting, as the question whether dynamic IP addresses (i.e., not permanently assigned IP addresses) are to be deemed as personal data or not is currently pending before the European Court of Justice and because the ruling may be seen as contradictory to the “Facebook Fanpage” judgment of a Higher Administrative Court. In this case, the court opined that a body which does not have any legal or actual influence on the decision as to how personal data is processed cannot be considered the responsible body from a data protection law perspective.

It is therefore not surprising that the court of appeal, the Higher Regional Court of Düsseldorf, decided on 19 January 2017 to stay the appeal process and to refer in particular the question whether the website owner indeed is the responsible body from a civil and data protection law perspective to the European Court of Justice.

How to be compliant

The decision of the European Court of Justice will have a fundamental impact on the assessment of the legality of social media plug-ins and “like” functions with respect to data protection.

Until the decision of the European Court of Justice has been rendered and in order to avoid (costly) administrative orders from the data protection authorities as well as competition law disputes with consumer associations and competitors, website owners should:

  • implement technical measures (e.g., by using so called “Shariff” tools) that prevent the transfer of personal data without the website user’s active doing; and
  • again review the content of their web presence as well as the information provided for in their data privacy statements.