open search
close
Internationales Arbeitsrecht

European Court of Justice – A ‘Like’ button on your website? Then you are a joint data controller with Facebook!

Print Friendly, PDF & Email

Website operators who feature a ‘Like’ button have been ruled to be joint controllers for data protection purposes in a recent European Court of Justice judgement.

In a judgment of 29 July 2019 (Fashion ID GmbH & Co, C-40/17) the European Court of Justice ruled that operators of a website that features a ‘Like’ button are controllers jointly with Facebook.

This means they must make an arrangement with Facebook in order to define their joint data protection obligations. The operator itself will also need to inform users and (in principle) seek their required consent.

In this case, an online clothing retailer had embedded a Facebook ‘Like’ button on its website. Users’ personal data (IP address, browser data and content) were thereby automatically transmitted to Facebook, without the users being aware of this and regardless of whether or not they were a Facebook user or had clicked the ‘Like’ button.

The Court of Justice ruled that the company was a joint controller within the meaning of the GDPR in respect of the collection of the data and its transmission to Facebook. Indeed, the company jointly determined the purposes and means of processing, since the company itself embedded the button in order to optimise its visibility and the visibility of its products on the social network.

The fact that the company itself did not have access to the personal data was considered irrelevant. However, the Court emphasised that the company could not be held responsible for all subsequent processing by Facebook after the transmission of the data through the ‘Like’ button.

The role of an organisation under data protection legislation (individual controller, joint controller or processor) is crucial for its obligations. The designation as joint controller implies several obligations for the operator of the website, including those described below.

Arrangement 

The operator of the website and Facebook must make an arrangement between themselves concerning their respective responsibilities, in particular regarding the exercise of rights and the obligation to provide information. It is to be expected that, following the European Court of Justice judgement, Facebook will work on a template agreement to this effect (as it did when the Court of Justice ruled in an earlier judgment that administrators of Facebook pages are also joint controllers).

Information obligation 

The website operator will have to inform its users in detail about the ‘Like’ button and the data processing related to the button.

Consent 

under e-Privacy legislation, the use of a ‘Like’ button seems to require the explicit (GDPR-compliant) consent of users, especially if the button is used to transmit data from individuals who are not Facebook users. This is also the position of the Belgian Data Protection Authority.

The Court of Justice has not explicitly ruled on this, but does state that any consent must be obtained by the operator of the website (and not by Facebook), prior to the collection or transfer of the data.

Comment 

The impact of the European Court of Justice judgement does not seem to be limited to the Facebook ‘Like’ button. In our view, the same principles can be applied to all features (plug-ins, widgets etc.) of third parties on a website, insofar as the website operator jointly determines the purposes and means of processing.

Action point 

‘Third-party check’ 

Operators of websites or other online services (such as apps) must check the following:

  • which external third-party features are embedded;
  • the role they play in relation to the third parties and whether they should make arrangements with them;
  • whether they properly comply with all other data protection obligations, in particular whether they correctly inform users about the processing of their personal data and whether they request (if required) a GDPR-compliant consent prior to the processing.

Ius Laboris




Ius Laboris is a leading international employment law practice combining the world’s leading employment, labour and pension firms. Our role lies in sharing insights and helping clients to navigate the world of labour and employment law successfully.
Verwandte Beiträge
Internationales Arbeitsrecht Neueste Beiträge

Employers liable for employees’ GDPR errors

A recent judgment of the European Court of Justice (ECJ) sheds light on the question of whether a data controller can be exempted from liability for the error of a person acting under its authority. The General Data Protection Regulation (GDPR) provides that a controller or processor is exempt from liability for breaches of the GDPR if it proves that it is not in any…
Internationales Arbeitsrecht Neueste Beiträge

The general public's enthusiasm for artificial intelligence (AI) technologies is making its way into the workplace.

While AI offers many advantages, employers must remain aware of the risks that a lack of supervision can generate.  Avoiding discrimination Discrimination is one of the risks most feared by the intrusion of AI into decision-making processes, particularly in terms of recruitment and candidate selection. Failure to comply with non-discrimination rules exposes the employer to various risks, ranging from the invalidity of the decision in…
Internationales Arbeitsrecht Neueste Beiträge

Can employers monitor their employees’ social media posts?

Increasingly, employers are being made aware of employee misconduct that is evidenced by photos, videos or other social media posts. What are employers allowed to do when it comes to their employees‘ posts, what are the limits, what should they bear in mind when using these posts? Here we consider the situation in Germany, with comments from our experts in 19 other jurisdictions. Employee posts…
Abonnieren Sie den kostenfreien KLIEMT-Newsletter.
Jetzt anmelden und informiert bleiben.

 

Die Abmeldung ist jederzeit möglich.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert