Judgment C-40/17 issued by the Court of Justice of the European Union has shed light on the data protection implications that this common social network tool has for website operators embedding this social plug-in on webpages.

This matter began when the Düsseldorf Higher Regional Court of Civil and Criminal Law (Germany) requested the Court of Justice of the European Union (“CJEU“) to interpret several provisions included in the repealed Data Protection Directive (since the entry into force of the General Data Protection Regulation) following the dispute between Fashion ID GmbH & Co. KG (“Fashion ID“), a German online company clothes retailer, and Verbraucherzentrale NRW Ev (the “Plaintiff“), a German association that is tasked with safeguarding the interests of consumers. Although it is true that several issues are resolved in the judgment, such as procedural criteria, this article is focused on analysing the implications that the embedding of the ‘like’ button has for a website operator, which, in short, constitutes the underlining concept of this judgment.

This case started when Fashion ID included in its website the aforementioned button from the social network Facebook, through which users can indicate their liking to a particular content. By reading the judgment, it is understood that when a user accesses and consults the Fashion ID website, regardless of whether or not the user is a member of Facebook, and without having to click the ‘like’ button, their personal data are transmitted to Facebook Ireland (user IP and browser identification), as a result of this social plug-in being incorporated on the website.

After becoming aware that the users’ data protection rights were not being respected and that Fashion ID was not acting in accordance with the Data Protection Directive provisions, the Plaintiff initiated this litigation based on (i) not informing the users that their personal data are being collected and used until the moment when the plug-in provider – Facebook Ireland – begins to process it, (ii) not requesting the users’ consent before the data processing occurs, and (iii) not informing about the users’ right to revoke their consent.

In essence, the question referred to the CJEU raises whether the obligations set forth in the Data Protection Directive apply in a case like the one at hand, in which the website operator (in this case, Fashion ID) by embedding this ‘like’ button into its website, allows the browser of the user to request content from the provider of this button (Facebook Ireland) and transmits this data to this provider.

To analyse this matter, the CJEU emphasises several issues, such as defining the role of the “controller”, as the body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The CJEU also emphasises that the joint controllership, consisting of several actors (controllers) for the same data processing does not require each of the actors to have access to all the personal data in question, and that the actors may be involved in the data processing at different stages and to varying degrees. This means that the responsibility of all actors must be evaluated, taking into account the circumstances of the specific case.

That said, the CJEU considers that Fashion ID is co-controller with Facebook Ireland since it inserted the ‘like’ button on its website, thus allowing the collection and transmission of users’ personal data to Facebook Ireland, regardless of whether or not they are members of this social network. Specifically and without prejudice to the examination of this judgement by the national court, Fashion ID is the controller in the collection and transmission of this data to Facebook Ireland and, consequently, it is Fashion ID who must request the users’ consent and inform them of the processing purposes being carried out (that is, the data collection and the disclosure by transmission).

Another question raised is the existence of the legitimate interest of the website operator and of the provider of the “like’ button, an aspect that, in our view, the CJEU does not analyse in depth.

Pending the German courts to pass judgment in this case, the opinion issued by the CJEU strengthens, on the one hand, the users’ rights on websites and, on the other, creates precedent regarding how to proceed and what obligations apply to the operators handling these popular social plug-ins, which we understand are applicable under the General Data Protection Regulation.