On 29 July 2019, the Court of Justice of the European Union (CJEU) made a judgement long awaited by many, concerning the legal requirements of embedding the Facebook “Like” button into a website (decision of 29 July 2019, C-40/70). With its decision, the CJEU clarifies the controversial question of whether a website operator is responsible for data processing of the website’s users by Facebook. The court also comments on information duties and consent requirements. Although the CJEU ruling is based on the provisions of the former Data Protection Directive, the considerations should equally apply under the GDPR. The decision will require adaptation by many website operators to avoid possible fines or cease and desist claims.

Background

By implementing the Facebook “Like” button into a website, the website operator opens a connection between its users and Facebook. Whenever a user accesses the website, user data, such as IP addresses, will be forwarded to Facebook, regardless of whether the user has a Facebook account. Thus, while the website operator has no influence on how Facebook handles the user data it received from the website operator, by implementing the Facebook “Like” button into the website, the website operator triggered the subsequent data use by Facebook. Up until the judgment by the CJEU, it was not entirely clear to what extent the website operator was responsible for the data transfer to and the data use by Facebook.

Joint control

According to the CJEU’s ruling, website operators will no longer be able to deny their responsibility with the argument that the data processing in relation to the “Like” button is exclusively conducted by Facebook. The court has clearly positioned itself to the effect that the website operator and Facebook are jointly responsible for the data processing on the website concerning the “Like” button. For the responsibility of the website operator, the CJEU considers it sufficient that the operator has implemented the “Like” button on its website and thereby pursues its own economic interests. Reasoning its decision, the CJEU pointed out that embedding a “Like” button enables the operator to make their goods more visible on Facebook and, thus, optimize the publicity of their goods.

However, the qualification as joint controllers does not exceed to subsequent processing by Facebook following the data collection on the website. This later phase is in the exclusive responsibility of Facebook.

Despite the fact that the Court's observations are based on the interpretation of provisions of the former Data Protection Directive, the judgment is equally relevant under the GDPR. The relevant definitions of the terms "processing" and "controller" have changed only insignificantly within the framework of the GDPR, so that the considerations of the European Court of Justice on the interpretation can be transferred to the current regulatory regime.

Legal basis for the data processing

For lack of relevance to the decision, the CJEU did not have to decide whether the implementation of the Facebook “Like” button requires the user’s consent. This question still has to be decided by the court of first instance (Higher Regional Court Düsseldorf, decision of 19 January 2017, I-20 U 40/16). However, according to the CJEU, the qualification as joint controllers means that the data use by both Facebook and the website operator need to be justified by a legal basis when processing the data on the website. Thus, in case consent is used as legal basis, the court stated that a valid consent would need to be obtained by the website operator, and it would not be sufficient to rely on Facebook in that regard.

Information obligations

According to the CJEU, the duty to provide information about the data processing prior to the data collection requires the website operator to inform users about the transfer to and the data use by Facebook on the website. The respective notice, which can be embedded into the website privacy policy, will at least need to include information about the fact of the data collection, the data categories and the purpose of the processing. Information on the succeeding processing operations will have to be provided by Facebook.

Relevance beyond Facebook “Like” button

The decision of the CJEU referred to questions regarding the implementation of the Facebook “Like” button. However, the CJEU indicated that its considerations equally apply to other social media plug-ins. Thus, the decision is also relevant for website operators that have integrated e.g. plug-ins for Twitter or LinkedIn.

Further, we expect that the CJEU’s ruling will have impact on any third party content embedded in a publisher’s website in the future, e.g. for tracking or analytics purposes. Therefore, publishers should review whether and in what manner third party content is embedded as well as if the proper technical and legal mechanisms are in place for such integration.

Enforcement

Violations of the requirements for implementing social media plugins can result in fines under the GDPR.

In addition, the CJEU came to the conclusion that consumer protection societies and other third parties are eligible to claim for potential violations of data protection laws on behalf of a data subject in scope of the former Data Protection Directive 95/46/EC. National regulations that allow for such claims do not contradict the harmonized regulations in the Directive, and the Court emphasized that this reflects the intention of the European lawmaker as set out in the GDPR. This is particularly relevant as consumer protection societies are often more aggressive than data protection authorities and the societies are experienced with the enforcement of consumer protection regulations before the courts.

We therefore expect increasing activities by these societies and a stronger focus on data protection non-compliance in future. Thus, we recommend refresher-assess whether your website is in compliance with GDPR (and ePrivacy) requirements.

The qualification as a joint controller does not mean that one controller can rely on the compliance of the other, but that both have to ensure that the obligations under the GDPR are complied with. Thus, following issues should be considered by website operators:

  • Social media plug-ins should be integrated in such a way that communication with the social media provider only takes place when the user clicks on the corresponding button (e.g. by using a “2-click solution” or the “Shariff” button).
  • If social media plug-ins are embedded into a website, the website operator must inform its users about the data processing by the plug-in provider. Thus, updates to the website privacy policy will likely be required.
  • We assume that Facebook will provide an agreement on joint controllers to fulfil the requirements stipulated in Art. 26 GDPR and to allow lawful use of the “Like” button (similar to what they did with respect to Facebook Insights). In this case, the website operator would need to inform the users about the essentials of this agreement (i.e. in the website privacy policy).
  • The CJEU’s ruling might likely have effect on embedded third party content in general. Thus, it is advisable to closely review such content and amend the respective implementation mechanisms, if necessary.
  • The broad understanding of joint control could lead to more cases that will be regarded as joint controllers, thus making it necessary to conclude corresponding agreements in future.
  • Even though the CJEU has not made a decision regarding the necessity of user consent with regard to plug-ins, it is likely - also against the background of current statements by the German data protection supervisory authorities - that the Higher Regional Court Düsseldorf will consider such consent to be necessary.