On July 29, 2019, the Court of Justice of the European Union (ECJ) published its judgement in case C-40/17, holding – like Advocate General Bobek (see here) suggested – that an organization who embeds a Facebook “Like” button on its website may be considered a data controller.
In this case, a German fashion online retailer embedded a Facebook’s ‘Like’ button in its website. As a result, when users landed on the retailer’s website, information about those users’ IP address and browser string was transferred to Facebook. The transfer occurred automatically when the retailer’s website loaded, irrespective of whether the user clicked on the ‘Like’ button and whether or not she had a Facebook account.
The ECJ had to decide whether in this case the retailer must be classified as a ‘controller’ with regard to this data processing and be subjected to the related obligations (see here).
The court reasoned that embedding the Facebook ‘Like’ button on the operator’s website allows it to optimize the publicity of its goods by making them more visible on the social network. Facebook then uses those data for its own commercial purposes as consideration for the economic benefits received by the website operator.
Therefore, Facebook and the website operator determine jointly the purposes of the operations involving the collection and disclosure by transmission of the personal data at issue in the main proceedings and are therefore considered a controller under Directive 95/46/EC.
The ECJ confirmed that
the operator of a website, such as Fashion ID, that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider the personal data of the visitor can be considered to be a controller, within the meaning of Article 2(d) of Directive 95/46. That liability is, however, limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue.
In other words, the operator of a website and Facebook are joint controllers in respect of the operations involving the collection and disclosure of the personal data of visitors.
The ECJ also answered two other important points:
- the Court was asked to decide “Whose “legitimate interests”, in a situation such as the present one, are the decisive ones in the balancing of interests to be undertaken pursuant to Article 7(f) of Directive [95/46]?” Basically: to evaluate whether the processing is legitimate, which legitimate interest do you take into account, the interest of the website operator or the social media provider? The Court answered that — because the two are joint controllers – then the website operator and the social media provider must each pursue a legitimate interest for their processing operations to be justified.
- The duty to inform the data subjects — deriving from the classification as controller — is incumbent both on the social media provider and the website operator. However, “the information that the latter must provide … need relate only to the operation or set of operations involving the processing of personal data in respect of which that operator actually determines the purposes and means” and no others.
This decision is under Directive 95/46 (which was applicable to that dispute) but this are important pronouncements also under the GDPR.
More on case c-40/17, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW is available at http://curia.europa.eu…
The ECJ’s judgement is available at http://curia.europa.eu…
More on GDPR is available at http://www.technethics.com…
For more information on how EU cookie rules apply to your company: Francesca Giannoni-Crystal and Federica Romanelli
Originally published on Technethics on August 2019