• GL
Choose your location?
  • Global Global
  • Australia
  • France
  • Germany
  • Ireland
  • Italy
  • Poland
  • Qatar
  • Spain
  • UAE
  • UK

Social media plug-ins have just become a big deal

08 August 2019
Commercial Law
The operator of a website that features a Facebook ‘Like’ button can be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website, according to the recent judgment of the Court of Justice of the European Union (CJEU).

What happened?

Fashion ID, a German online retailer selling clothing, embedded a social media plug-in (Facebook's 'Like' button) on its webite. As a result, when a user lands on Fashion ID’s website, information about that user’s IP address and browser string is transferred to Facebook. This transfer occurs automatically when Fashion ID’s website has loaded, irrespective of whether the user has clicked on the ‘Like’ button and whether or not such user has a Facebook account.

A German consumer protection association questioned the legality of using such a plug-in, considered it to be in breach of data protection legislation and started legal proceedings. The Higher Regional Court in Dusseldorf, Germany, heard the dispute and asked the CJEU to interpret several provisions of Directive 95/46/EC (the predecessor of the GDPR). 

The main question in this case related to whether Fashion ID, with regards to the data processing following from having Facebook's 'Like' button on its website, should be classified as a ‘controller’. The CJEU decided the following:

  • "Fashion ID cannot be considered to be a controller in respect of the operations involving data processing carried out by Facebook Ireland after those data have been transmitted to the latter. It seems, at the outset, impossible that Fashion ID determines the purposes and means of those operations."
  • "By contrast, Fashion ID can be considered to be a controller jointly with Facebook Ireland in respect of the operations involving the collection and disclosure by transmission to Facebook Ireland of the data at issue, since it can be concluded that Fashion ID and Facebook Ireland determine jointly the means and purposes of those operations."

The CJEU considered the fact that the processing operations appeared to be performed in the economic interest of both Fashion ID and Facebook Ireland to be an important factor in its decision. This recent judgment further develops the issue of (joint) controllership and adds to several other recent cases on the topic: Wirtschaftakademie Schleswig-Holstein (administrator of Facebook fan page acts as joint controller together with Facebook) and Jehovan todistajat (access to all of the personal data is not required for there to be joint control and responsibility). It further confirms the reasoning in previous cases that joint controllership is established when one party makes it possible for personal data to be collected and transferred, potentially coupled with some input of such joint controller regarding the parameters (including when there is silent endorsement of them).

The Fashion ID case is also an interesting development in terms of setting out individual obligations of joint controllers, applicability of lawful processing grounds and provision of information requirements. The CJEU has clarified that:

  • The operator of a website (such as Fashion ID), as a joint controller, must provide certain information to their website users at the time of collection, such as its identity and the purpose of processing.
  • In cases whereby website users have given their consent and the website operator uses this a lawful ground to process personal data, the operator of the website must obtain prior consent in respect of operations for which it is a joint controller (collection and transmission of data).
  • In cases whereby legitimate interest is relied on as a lawful processing ground, each of the joint controllers (the website operator and the provider of the plug-in) must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in that regard.

Organisations using social media plug-ins on their websites should be aware of this case and clarify their respective responsibilities as controllers in a contractual arrangement where applicable. Organisations should also consider what lawful grounds they rely on to justify such processing and ensure that the information provision to data subjects involved is sufficient, clear and timed correctly. 

Please contact the Data Protection team if you have any questions or require assistance in this area.

Further Reading