On July 29, 2019, the Court of Justice of the European Union (the “CJEU”) released its judgment in case C-40/17, Fashion ID GmbH & Co. KG vs. Verbraucherzentrale NRW eV. The Higher Regional Court of Düsseldorf (Oberlandesgericht Düsseldorf) requested a preliminary ruling from the CJEU on several provisions of the former EU Data Protection Directive of 1995, which was still applicable to the case since the court proceedings had started before the implementation of the EU General Data Protection Regulation (“GDPR”).

Background

Fashion ID is a German online clothing retailer that embedded the Facebook ‘Like’ button on its website. Facebook’s ‘Like’ button enables Fashion ID to share personal data of website visitors with Facebook Ireland (“Facebook”) without website visitors being aware of such data disclosure and regardless of whether they clicked on the ‘Like’ button or whether they have a Facebook account.

Verbraucherzentrale NRW eV is a German consumer association. It objected to Fashion ID’s disclosure of website visitors’ personal data to Facebook without their consent and alleged that this was a breach of Fashion ID’s duty to provide appropriate notice. Verbraucherzentrale NRW eV filed an injunction before the regional Court of Düsseldorf, which was escalated to the Higher Regional Court of Düsseldorf and subsequently to the CJEU.

Judgment

The CJEU ruled that Fashion ID should be considered a joint controller with Facebook regarding the collection and disclosure of website visitors’ personal data to Facebook as a result of embedding the Facebook ‘Like’ button on Fashion ID’s website. The Court held that Fashion ID and Facebook jointly determine the purpose and means of the data disclosure as this processing operation appears to be performed in the economic interests of both parties. In particular, the Court took the position that by embedding the Facebook ‘Like’ button on its website, and subsequently disclosing personal data to Facebook, Fashion ID was able to optimize the publicity of its goods and services and obtain a commercial advantage.

Furthermore, the CJEU required that consent to processing personal data must be obtained by the website operator (i.e., Fashion ID) before collecting and disclosing personal data of its website visitors to Facebook through a Facebook ‘Like’ button, even if such data disclosure occurs through a single visit to the website. The CJEU also held that Fashion ID must inform their website visitors of the data disclosure to Facebook at the time of the collection of the data. The CJEU considered that Fashion ID was not a controller with respect to the underlying processing activities carried out by Facebook once the data was disclosed to Facebook.

The CJEU held that the Data Protection Directive of 1995 did not prohibit a consumer protection association bringing legal proceedings against an entity for allegedly infringing on the protection of consumers’ personal data.