How any website could be considered a joint controller

– The ever-expanding concept of joint-controllership and its limits under the Court of Justice of the European Union

Could merely placing a “Like” button turn a website into a “joint controller” of personal data processing activities with the world’s biggest social media companies? In a recent decision, the Court of Justice of the European Union (CJEU) affirms that such is indeed the case.

Ascertaining liability and compliance with data protection requirements is impossible without understanding which role each stakeholder will be assigned under the EU regime. It is no wonder, then, that the question of what constitutes a data controller has been one of the key issues since the entry into application of the General Data Protection Regulation (GDPR) on 25 May 2018.

Tersely defined under the GDPR as a natural or legal person determining the purposes and means of the processing of personal data, the concept of data controller, or joint controller, has now been subject to a series of guidelines and decisions by EU authorities. Previous guidelines by the Article 29 Working Party, comprising representatives of all EU data protection authorities, the European Data Protection Supervisor, and a representative of the EU Commission, emphasized the purpose and method of data processing. According to these guidelines, entities jointly determining both the purposes and the means of any personal data processing are considered joint controllers.

Shaking up the online ecosystem

In a decision from July 2019, the CJEU has further specified the criteria used to determine joint-controllership. This decision reinforces the trend that has been emerging in CJEU jurisprudence regarding the definition of data controller.[1]

According to two decisions handed down by the Court in June and July 2018, joint controllership could arise even in the absence of access to personal data, as long as an a natural or legal person participates in the determination of the purposes and means of data processing. Social networks could become joint controllers when an entity creates a fan page.[2] Religious organizations were in no way exempt, qualifying as joint controllers when organizing preaching activities, even in the absence of any written instructions by the central association.[3] These decisions resulted in a re-alignment, in particular of the online economy, requiring parties to reconsider the reach of the concept of data controller under an amended legislation which from now relies on the mapping of each data flow and, as a result, respective roles of any entities involved in it.

The most recent decision seeking to refine the definition of the concept of controller concerned Fashion ID, an online clothing retailer.[4] Like most websites or web applications, Fashion ID had chosen to insert social media plugins, in this case the Facebook “Like” button, on its website. The CJEU affirms that embedding a social plugin, which transmit to the social media personal data of the visitor regardless of affirmative action or membership of the visitor, qualifies the website as a joint controller for the collection and transmission of such personal data.

Given the ubiquity of social media plugins, this decision impacts the entire online ecosystem, down to the smallest stakeholder that may have an online presence, including outside the EU. The insertion of a social media plugin is a convenient and extremely low-cost method that websites or applications can use to increase user engagement and reach potential customers, and one would be hard pressed to find a single website that does not include the Facebook ‘Like’ or ‘Share’ button. The imposition of the liabilities coming with the role of joint controller significantly increases the cost of inserting such plugins.

The seemingly sprawling reach of this decision is curtailed by the method used by the Court itself. At face value, this decision reinforces the broad definition of joint controller as we saw in previous decisions. However, it also signals another way the Court is conceptualizing the applicability of joint controllership, giving an indication on how the seemingly ever-expanding notion of joint-controllership shall be applied in practice: by identifying and isolating different stages of the processing operations and assigning firm boundaries.

            In determining the different roles played by Fashion ID, the CJEU engages in the ‘sequencing’ of the stages of data processing. This method relies on the increased granularity of the stages of processing the Court is willing to isolate. In analyzing the processing activities involved in the insertion of the ‘Like’ button, the Court identifies four different steps. First, the core step of insertion for which the website alone is responsible. Second and third, the collection and transmission that take place through the plugin, at which point the website and the social media act as joint controllers. Lastly, any processing subsequent to the transfer engages the responsibility of the social media as an independent controller.  The Court then uses this sequencing of stages of data processing to allocate responsibilities. The website, in consequence, shall be responsible for obtaining prior consent and disclosing information for the collection and transmission of the data.

Two additional points are crucial in understanding the Court’s reasoning and the perimeters of joint controllership in this case. First, before reaching the conclusion that the mere insertion of a social media plugin can result in joint controllership, the Court is careful to note that the plugins automatically collect and direct data from visitors without them needing to click on the button, or be members of the social media in question. In fact, the CJEU had already relied on this factor in the Wirtschaftsakademie judgment, where it held that an entity hosting a fan page on Facebook qualified as a joint data controller for the purposes of GDPR. The same is true for the second point, that is, how the exposure resulting from the insertion of plugins furthers the interest of the website, proving the website’s participation in the determination of the purposes and means of data collection and processing. The Court had already applied a similar reasoning in the Wirtschaftsakademie judgment.

Given these factors, disclaiming access or asserting that the operation involves only the transfer of data will not let the website off the hook for the responsibility of being a joint data controller, and thus the obligation to obtain valid consent and provide information. The practical implication of this reasoning is clear. According to the Court, the obligation to provide information resides with the entity that has direct relations with the users, that is, the website on which the social media buttons are placed. This decision thus confirms a series of long-standing recommendations of the above-mentioned Article 29 Working Party[5] as well as decisions from local authorities such as the French CNIL[6] and the French Administrative Supreme Court[7] regarding user-facing entities’ information obligation.

Determining roles and capacities – challenges and opportunities

As in its previous decisions, the CJEU hands a mixed bag to the “smaller” participants of the online economy. Although at first sight this decision may be read as only imposing a greater burden on any website or app embedding social media plugins, the application of joint controllership also presents increased control and opportunities. 

It is clear that the decision assigns in no unambiguous terms the responsibility to obtain consent and inform visitors to the website, such as Fashion ID, which decides to include social media buttons. For the collection and transmission of user data automatically taking place through the insertion of a social media plugin, the website must now obtain consent prior to the collection and transmission, and provide information at the moment of these operations. Otherwise, they would be in violation of GDPR.

On the flipside, as it has been implied in the previous decisions, entities can now take increased control over determining responsibility, as well as the subsequent processing of personal data. In Fashion ID, the Court conveniently gives us an indication of how exactly the different stages of data processing can be separated for the allocation of roles and capacities. Using this ‘sequencing’ method, joint controllership can be narrowly pared down, allowing the parties to remain independent data controllers for any previous or subsequent processing of personal data.  

Acknowledging the breadth of the definition of ‘controller,’ the Court reiterates, word for word, its previous position that joint controllership situations do not “imply equal responsibility for the various operators engaged in the processing of personal data,” and that each entity may “be involved at different stages of that processing of personal data and to different degrees.”[8] The possibility of finely defining the scope of responsibility by sequencing different stages of the operation means that entities gain greater control over when and for which data they should be considered joint controllers. This gives them the all-important benefit of being able to conduct subsequent processing as independent data controllers, as long as they can obtain valid consent or otherwise establish a legal basis.

Such precision leads to increased control over both risk and data to the stakeholders. Although now facing the responsibility to obtain consent and inform the users, websites or apps can determine the exact perimeter of processing activities for which they will be identified as joint controllers. Entities can thus engage in proactive risk-management by anticipating allocation of responsibility, minimizing the possibility of non-compliance. Moreover, joint controllership affords these smaller stakeholders, often placed in a position of dependence to the social media giants, the possibility to reuse the personal data collected and transmitted through the social media plugins, and the capacity to determine the scope of subsequent processing. Ultimately, the most important impact of this decision is not legal, but business-side, as having appropriate control of data is the best way to monetize them.