In a judgment of 29 July 2019 (Fashion ID GmbH & Co, C-40/17) the European Court of Justice ruled that operators of a website that features a ‘Like’ button are controllers jointly with Facebook.
This means they must make an arrangement with Facebook in order to define their joint data protection obligations. The operator itself will also need to inform users and (in principle) seek their required consent.
In this case, an online clothing retailer had embedded a Facebook ‘Like’ button on its website. Users’ personal data (IP address, browser data and content) were thereby automatically transmitted to Facebook, without the users being aware of this and regardless of whether or not they were a Facebook user or had clicked the ‘Like’ button.
The Court of Justice ruled that the company was a joint controller within the meaning of the GDPR in respect of the collection of the data and its transmission to Facebook. Indeed, the company jointly determined the purposes and means of processing, since the company itself embedded the button in order to optimise its visibility and the visibility of its products on the social network.
The fact that the company itself did not have access to the personal data was considered irrelevant. However, the Court emphasised that the company could not be held responsible for all subsequent processing by Facebook after the transmission of the data through the ‘Like’ button.
The role of an organisation under data protection legislation (individual controller, joint controller or processor) is crucial for its obligations. The designation as joint controller implies several obligations for the operator of the website, including those described below.
Arrangement
The operator of the website and Facebook must make an arrangement between themselves concerning their respective responsibilities, in particular regarding the exercise of rights and the obligation to provide information. It is to be expected that, following the European Court of Justice judgement, Facebook will work on a template agreement to this effect (as it did when the Court of Justice ruled in an earlier judgment that administrators of Facebook pages are also joint controllers).
Information obligation
The website operator will have to inform its users in detail about the ‘Like’ button and the data processing related to the button.
Consent
under e-Privacy legislation, the use of a ‘Like’ button seems to require the explicit (GDPR-compliant) consent of users, especially if the button is used to transmit data from individuals who are not Facebook users. This is also the position of the Belgian Data Protection Authority.
The Court of Justice has not explicitly ruled on this, but does state that any consent must be obtained by the operator of the website (and not by Facebook), prior to the collection or transfer of the data.
Comment
The impact of the European Court of Justice judgement does not seem to be limited to the Facebook ‘Like’ button. In our view, the same principles can be applied to all features (plug-ins, widgets etc.) of third parties on a website, insofar as the website operator jointly determines the purposes and means of processing.
Action point
‘Third-party check’
Operators of websites or other online services (such as apps) must check the following:
- which external third-party features are embedded;
- the role they play in relation to the third parties and whether they should make arrangements with them;
- whether they properly comply with all other data protection obligations, in particular whether they correctly inform users about the processing of their personal data and whether they request (if required) a GDPR-compliant consent prior to the processing.