The decision (case C-210/16) deals mainly with the issue of “joint controllership” between Facebook and website operators using Facebook's 'Like' button on their website. The highest EU court decided that the operator of the website can be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to the website, but not in respect of subsequent processing.
Fashion ID GmbH & Co. KG is an online fashion retailer which embedded a Facebook 'Like' button on its website. This embedded plug-in results in the transfer of a user's IP address and browser string to Facebook whenever the user enters the Fashion ID website. The transfer of the user information occurs automatically when the Fashion ID website has loaded, even if the user does not click the 'Like' button or have a Facebook account. A German consumer protection association (Verbraucherzentrale NRW e.V.) took legal action against Fashion ID claiming that the use of the plug-in breached data protection legislation.
The case was decided under the former Data Protection Directive ("DPD"), not the GDPR. The Higher Regional Court of Düsseldorf asked the highest EU court (i.e. the Court of Justice of the European Union ("CJEU")) several questions relating to joint controllership as well as a question regarding the legal standing of the consumer association under the preliminary ruling procedure
2. ESSENCE OF THE RULING
After ruling that the DPD does not preclude Member States from granting consumer organisations standing to bring actions against controllers, the CJEU turned to the core of the issue: joint controllership. Advocate General Bobek had already suggested, in his opinion of 19 December 2018, that operators of websites implementing the 'Like' button were joint controllers with Facebook. In the present case, the CJEU largely followed that opinion. Given the prior rulings of the CJEU in Wirtschaftsakademie Schleswig Holstein (C-210/16) and Jehovan todistajat (C-25/17), which both took a wide view of the concept of joint controllership, this is hardly surprising.
Who then is not a joint controller? Advocate General had raised that question in his opinion. The CJEU did not directly address that point, but answered indirectly by applying the standard way to determine (joint) controllership, i.e. looking on who determined the purposes and means of processing in a granular way. In the case at hand, the CJEU ruled that the parties were joint controllers for the collection and processing of the data on the website. For the subsequent processing by Facebook, the operator of a website was not a controller, as Fashion ID could not influence the processing. With this decision, the CJEU puts the emphasis on the determination of the purpose(s) as opposed to the means, even though they are supposed to be equally important under the GDPR. By contrast, in the CJEU Wirtschaftsakademie case, the provider of the Facebook fan page had some influence also as to the means of processing - for example it could set parameters on the target audience.
The next question the CJEU answered concerned the legal basis: whose legitimate interest had to be taken into account? The CJEU ruled that the operator of the website and Facebook each needed to pursue legitimate interests (or have another legal basis for processing) for each processing in order to be justified under Article 7(f) of the Directive 95/46. This also means that in a joint controllership relationship, the transfer between one controller to another controller needs to have a legal basis.
Finally, the CJEU turned to obligations following from controllership. It ruled that the operator of the website was responsible for both informing data subjects about the processing as well as for collecting consent where necessary under the ePrivacy Directive.
3. KEY IMPLICATIONS FOR JOINT CONTROLLERSHIP
There are mainly three things to take away from the line of case law of the CJEU on joint controllership: First, the threshold for joint controllership is low. It does not require the parties to share responsibility equally, nor do both parties even have to have access to the personal data processed.
Second, joint controllership might exist for some processing activities, but in other phases of the processing a party might by solely responsible. This necessitates are more granular analysis of each stage of processing.
Finally, while joint controllership is easily assumed by the CJEU, the ruling does not address the relationship between the parties in terms of liability. Data subjects will be better protected by interpreting the concept of (joint) controllership widely. This does however not mean that there might be additional rules allowed or prescribed under national law regarding liability between parties.
The CJEU decision is consistent with previous rulings on joint controllership and expands the concept to cases in which one party has very little influence on the processing of the transferred personal data. Operators of websites implementing the 'Like' button or other (social) plug-ins will have to ask for consent and inform data subjects prior to sending personal data to a third party. This might be quite burdensome in practice, as true consent under the GDPR would require users to have a choice. The consent must cover only the part of the processing for which the operator is determining, jointly or alone, the purposes and means. It is likely that Facebook will update its terms shortly after the decision to include a joint controller agreement for this type of processing, like it did after the Wirtschaftsakademie decision.