It is common practice that organisations promote their products on popular social networks, such as Facebook, and gain the commercial advantage of having their products shared and made widely visible to consumers. One method of doing this has been by using, what are known as, “social sharing” widgets which have become an important feature of the internet today. However, following a recent judgement published on Monday 29 July 2019 by the Court of Justice of the European Union (“CJEU”), organisations that utilize this method of promotion risk falling foul of the GDPR.
The landmark judgement delved into the case of a German online clothing retailer, Fashion ID, which deployed Facebook’s iconic “Like” button plugin on the organisation’s website. The primary purpose of Facebook’s “Like” button is to track individuals across websites and allow for their data to be collected even when they are not explicitly using any of Facebook’s products. The proceedings began after a German consumer rights group sued Fashion ID for breaching personal data protection laws via the embedding of the “Like” button on its site, claiming that the visitors of the website were having their data, such as IP address and an abundance of cookies, automatically transferred to Facebook without their knowledge, regardless of whether the user is actually a member of Facebook or actively clicked the “Like” button or not.
Fashion ID lost the case in a Dusseldorf regional court in 2016 and consequently appealed to a higher German court, which in turn was further escalated to the CJEU. The CJEU ruled that in such circumstances, the website and Facebook share joint responsibility “in respect of the collection and transmission to Facebook of the personal data of visitors to its website”. However, the CJEU held that the operators of websites such as Fashion ID, cannot be found responsible for what happens to data after it has been passed onto Facebook.
Following this decision, website operators transmitting data about European citizens to social networks – using a “Like” button or other plugin – are considered to be joint controllers with the social network, and must each pursue a legitimate interest for the processing operations to be justified. Furthermore, the website operator must, as joint controller, warn users that their personal data is being sent to the particular social network and collect the individual’s explicit consent to do so “only with regard to the operation or set of operations involving the processing of personal data in respect of which that [website] operator determines the purposes and means” in order to be compliant with the GDPR. The decision has neither banned the use of the “Like” button nor diminished its reputation, rather it requires website operators to make the tracking functions clear to users.