On 29 July 2019, the Court of Justice of the EU (“CJEU”) confirmed that a website owner that has embedded a third-party social plug-in, such as Facebook’s “Like” button, into its website may be jointly responsible with that third party for the collection and transmission of personal data relating to visitors. However, in principle, the website owner is not responsible for the further processing of this data by that third party alone.
What happened in this case?
Fashion ID, an online company selling fashion items, voluntarily embedded Facebook’s “Like” button, a third-party social plug-in, into its website. This means that when a user lands on Fashion ID’s website, his/her personal data (e.g. IP address, browser string) is transferred to the social network. That transfer occurs automatically when Fashion ID’s website has loaded, irrespective of whether the user has clicked on the “Like” button and whether or not he/she has a Facebook account.
Verbraucherzentrale NRW, a German consumer protection association, brought a claim against Fashion ID on the grounds that it inserted Facebook’s “Like” button and did not sufficiently inform visitors.
What are social plug-ins?
Social plug-ins are tools (pieces of software code) that website owners can use on their websites to provide users with various social experiences (i.e. share buttons, follow buttons, like buttons, etc.).
These buttons for social networks are very popular with website owners as they increase the website’s visibility, optimize product advertisement (by making them visible on social media), and provide more traffic, feedback and statistical information about users.
With the “Like” button, Facebook stores cookies on the user’s computer. This automatically transfers their personal data to Facebook because the browser establishes a connection with the social network’s servers. The website owner also collects and sends data (e.g. IP addresses) of users with no Facebook profile. The IP addresses are stored using cookies and are used to create anonymous profiles.
The CJEU ruled that a website owner that embeds on that website a social plug-in causing the browser of a visitor to that website to request content from the provider of that plug-in and, to that end, to transmit to that provider personal data of the visitor can be considered to be a controller.
- Does the CJEU limit the liability of joint controllers?
Yes, the controller’s (joint) responsibility is limited to those on which it makes joint decisions regarding the means and purposes of the processing of personal data. This means that the (joint) controller is the one responsible for the operation or set of operations for which it shares or jointly determines the purposes and means of a particular processing operation. However, the website owner cannot be held liable for either the preceding stages or subsequent stages of the overall chain of processing, for which it is not in a position to determine either the purposes or means of that stage of processing.
According to the CJEU, Fashion ID and Facebook jointly decide on the purposes and means of data processing at the stage of collection and transmission of personal data.
By inserting such a plug-in into its website, Fashion ID also has a strong influence on the collection and transmission of personal data of visitors to Facebook, which would not be the case without the plug-in. These processing operations are carried out in the economic interests of both Fashion ID and Facebook, increasing Fashion ID’s visibility, while also providing Facebook with data for its own commercial purposes.
- Whose legitimate interests should be taken into account when relying on “legitimate interests” as a legal basis for processing?
As to the legitimacy of processing personal data without the user's consent, the CJEU reiterated that such processing is legitimate if three cumulative conditions are met: (1) the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed; (2) the need to process personal data for the purposes of the legitimate interests pursued; and (3) that the fundamental rights and freedoms of the person concerned by the data protection do not take precedence.
On this point, the CJEU ruled that the legitimate interests of the two joint controllers of the processing operations in question (Fashion ID and Facebook Ireland) must be taken into account and weighed against the rights of the data subjects with regard to the users of the Internet site.
- Who needs to obtain consent from the users?
The CJEU ruled that the consent of data subjects must be given to the website owner (Fashion ID) that has inserted the content (plug-in) of a third party. Similarly, the obligation to provide the website user with the information is also the responsibility of the website owner (Fashion ID).
Key takeaways and practical steps
When you use social plug-ins on your website, you may be considered as joint controller with the social network(s) that provide(s) the plug-ins. Therefore, you should:
carry out due diligence to determine whether the social network has put in place adequate controls to comply with Europe’s data protection rules;
carefully assess the lawfulness of the processing activities of said third parties before inserting a third-party social plug-in into your website;
verify the conditions of use of the social plug-in as applied by the social network concerned and ensure compliance with such contractual conditions;
request consent for using the third-party social plug-in before collecting and transmitting the personal data to that third party (please note that the CNIL and the ICO have adopted new guidelines on cookies and other tracking devices);
in your contract with the social network set out each party’s roles and responsibilities regarding compliance with Europe’s rules and data protection; and
remember that you are only responsible for the operation or set of operations for which you share or jointly determine the purposes and means of a given processing operation. Your liability does not extend to the preceding stages or subsequent stages of processing that are outside your control and knowledge.
Although the case focuses on interpreting Data Protection Directive 95/46, this interpretation is likely to still apply when considering the application of the GDPR.