Last week’s hotly anticipated European Court of Justice Fashion ID ruling promises to upend contractual arrangements in the sprawling adtech sector, with observers expecting many duties to be pushed to website operators.
Last week’s decision found that German e-commerce company Fashion ID’s use of Facebook Like buttons makes it a joint controller for website visitor personal data collected and sent to the social media company – but not for Facebook’s subsequent processing of the data.
The decision means more companies will be considered joint controllers, imposing greater data protection obligations on them. But the ruling’s division between data collection on the site and subsequent data processing by Facebook suggests controllers will be able to specify a greater and more granular level of control over their part of the data chain.
The ruling built on previous ECJ cases addressing controllership, including the Facebook fan pages decision, in which the court confirmed that Facebook could be held liable as a data controller alongside the operator of a fan page on its platform.
The GDPR already states that organisations in a joint controller relationship must agree – usually through a contract – their respective responsibilities to data subjects. But following this decision, says Lore Leitner, counsel at Wilson Sonsini Goodrich & Rosati in London, it’s likely that lawyers will update contracts to make these obligations narrower and more specific.
Jörg Hladjk, a partner at Jones Day in Brussels, says joint controllers will now more than ever want to have a “solid” joint controllership agreement in place because of increased liability, especially in cases where data processing is complex.
Tanguy Van Overstraeten, a partner at Linklaters in Brussels, says companies that could now be considered as joint controllers should “review their position in detail and evaluate which contractual arrangements they have in place or want to put in place”.
“The impact of a violation of the GDPR is potentially too high to disregard this essential step,” he says.“The current trend is that an increasing number of stakeholders already consider themselves joint controllers in a growing number of situations.”
Adtech, with its sprawling ecosystem of data handlers, is likely to be deeply affected by the decision’s promised shake up of data-handling contracts.
But Wilson Sonsini’s Leitner argues the decision is better news for ad tech than expected. She says the decision means players in the sector will be able to say with more certainty – and more specificity – what their obligations are.
“It’s actually a very decent outcome for the ad tech industry in light of the fact that the case law was evolving towards a really broad definition of joint controllership,” Leitner says. “It’s a pragmatic approach from the court.”
Van Overstraeten says the decision makes it likely that ad tech players will be increasingly considered as joint controllers, even if one of them does not have actual access to the data. “This may significantly impact web site operators and potentially the internet business model as a whole,” he says.
Leitner, too, says that the decision may have the greatest effect on website operators and publishers – those who sell space to advertisers via brokers. Data responsibilities will likely be pushed down to the website operator through contractual arrangements, she argues.
But Jones Day’s Hladjk notes that web operators often do not determine the purposes of processing in activities such as ad display, online profiling and payment processing.
Past decisions suggest that the question of who determines the purposes of processing – and how this is contractually arranged – might be a complicated issue. The CNIL’s October 2018 Vectaury decision, Leitner argues, made it clear that companies cannot put contractual provisions in place without actually enforcing them.
Another question arising from the ruling is whether website operators or publishers in general need to distinguish between consent which they obtain on behalf of another party on the one hand, and consent for their own processing on the other. That means publishers, who may soon be considered joint controllers alongside ad brokers, may not be able to obtain a single overall consent for data processing to be later carried out by ad tech companies.
Leitner argues that a lot of the contractual changes that will soon be implemented following the decision will reflect the consent issue. Contracts will also, she believes, include more provisions on data subjects’ rights.
But for subject rights more generally, the decision may not be entirely positive, Leitner says. The ad tech world may become even more byzantine, and people will find it increasingly difficult to know who controls their data, and when. That applies more broadly across the internet – if data subjects don’t know who handles their data, it is much more difficult for them to exercise their rights, she says.
Linklaters’ Van Overstraeten notes that the GDPR stipulates that a joint controllership contract may – but does not have to – designate a contact point for data subjects. “The extent to which data subjects will be better off will therefore highly depend on the quality of the communication they receive from the joint controllers,” he says.