EU ruling makes companies co-responsible for Facebook’s personal data processing if they have integrated Facebook’s ‘like’ button on their website.
Read attorney Hans Sønderby Christensen’s article published on Monday, February 10, 2020, on Jyllands-Posten’s website here or download it as a PDF here.
The case concerned a German online clothing retailer, Fashion ID GmbH & Co. KG (hereinafter Fashion ID). The company had integrated Facebook’s ‘like’ button on its website. When an internet user visited the website, the visitor’s personal data (e.g., IP address) was transferred to Facebook. The transfer occurred automatically when the user loaded the website, without the visitor being aware of it, and regardless of whether the person was a member of Facebook or had clicked the ‘like’ button.
The German consumer protection organization, Verbraucherzentrale NRW eV (hereinafter NRW), criticized Fashion ID for transferring information about the website’s visitors to Facebook in violation of EU’s personal data rules. Firstly, because the transfer occurred without consent from the users. Secondly, because it was contrary to the information requirements that follow from the personal data rules.
NRW therefore brought a case before the Landgericht Düsseldorf (the regional court in the first instance in Düsseldorf, Germany). The court partially upheld NRW’s claim. Fashion ID appealed the decision to the Oberlandesgericht Düsseldorf (the regional court of appeal in Düsseldorf, Germany). The appellate court was, among other things, in doubt as to whether Fashion ID could be considered a data controller under the personal data rules, when Fashion ID had no influence on the processing of the personal data that was transferred to Facebook. In this regard, there was also doubt as to who, if anyone, is responsible for obtaining consent and providing information to the persons whose personal data is processed. The appellate court therefore decided to postpone the case and submit the questions to the EU Court of Justice.
The EU Court of Justice answered the questions in accordance with the EU’s Personal Data Directive, which on May 25, 2018, was replaced by the EU’s General Data Protection Regulation. Since the basic provisions on data controllers in the directive have been carried over into the regulation, the judgment also has significance for the future application of the personal data rules.
The EU Court of Justice began by stating that the purpose of the previously applicable Personal Data Directive was to ensure a high level of protection of natural persons’ fundamental rights and freedoms. In accordance with this purpose, the definition of the term ‘data controller’ must be understood broadly. The term thus includes both natural and legal persons, public authorities, institutions or any other body.
The data controller is not necessarily a single actor, but can also be several actors who have a joint responsibility for the same processing of personal data. The presence of a joint responsibility does not presuppose that all the actors have access to the personal data in question. Nor does it imply that they have the same responsibility for the processing. On the contrary, the different actors can be responsible at different levels and to different extents. Therefore, the individual actor’s level of responsibility must be assessed taking into account the specific circumstances. The processing of personal data can namely include one or more processing operations, which the personal data is subjected to, e.g. collection, registration, storage, compilation, use or disclosure.
Several actors have a joint responsibility when they jointly determine the purposes for which and the means by which personal data may be processed. An actor will thus only be a data controller together with others if the actor in question is co-determining regarding the purpose and means of the processing. On the other hand, the actor cannot be considered to be the data controller for processing operations that occur before or after the series of processing, and for which the person neither determines the purpose nor the means.
In relation to Fashion ID, the EU Court of Justice noted that the company, by having integrated Facebook’s ‘like’ button on its website, had given Facebook the opportunity to automatically collect personal data regarding the visitors to the website. As far as the processing operations are concerned, which in this connection consist of collecting and passing on the personal data, it is both Fashion ID and Facebook who jointly determine the purpose and means of the processing. The integration of the ‘like’ button namely makes it possible for Fashion ID to optimize the marketing of the company’s goods by making them more visible on Facebook. In addition, the processing of the personal data in question would not have taken place if Fashion ID had not integrated the ‘like’ button on its website. Both Fashion ID and Facebook therefore have an economic and commercial interest in the processing. Both are therefore also data controllers with regard to the processing operations that relate to the collection and disclosure of the personal data. On the other hand, it can immediately be excluded that Fashion ID determines the purpose and means for the subsequent processing operations, which are carried out by Facebook, and which Fashion ID therefore cannot be considered to be a data controller for.
Next, the EU Court of Justice noted that Fashion ID as a result has both a duty to provide information and a duty to obtain consent from the visitors to the website. However, the obligation that rests on Fashion ID to obtain consent and provide information only applies to the extent that the processing operations consist of collecting and passing on the personal data. On the other hand, the obligation does not include the subsequent processing operations, which are carried out by Facebook. It goes without saying that both consent and information must be given before the personal data is collected and passed on. The obligation is the same for all visitors, regardless of whether they are the holder of a Facebook account or not. It would namely not be in accordance with an effective and timely protection of the rights of those concerned if the consent was only given to Facebook, which is only involved in the subsequent processing operations.
With the judgment, the EU Court of Justice has thus established that the automatic transfer of website users’ personal data, which takes place via a social module such as Facebook’s ‘like’ button, and without consent having been obtained or the user in question having been given information about the processing of personal data, is in violation of EU’s personal data rules.
The judgment is relevant for companies that have integrated a social module such as Facebook’s ‘like’ button on their website, if this integration implies that there is an automatic transfer of website users’ personal data, without consent first being obtained from the users or information being given about the processing of personal data. The companies will namely be data controllers for the collection and disclosure of the personal data, and therefore they will also have an obligation to obtain consent and provide information about the processing.
