In a judgment of 29 July 2019 ( C-40/17, Fashion ID GmbH & Co ) the European Court of Justice ruled that operators of a website that features a “Like” button are controllers jointly with Facebook.
Therefore, they must make an arrangement with Facebook in order to define their joint data protection obligations. They themselves will also need to inform the users and (in principle) seek their required consent.
In this case, an online clothing retailer had embedded a Facebook “Like” button on its website. Personal data of users (IP address, browser data and content) were thereby automatically transmitted to Facebook, without the users being aware of this and regardless of whether or not they were a Facebook user or had clicked the “Like” button.
The Court of Justice ruled that the company was a joint controller within the meaning of the GDPR in respect of the collection of the data and its transmission to Facebook. Indeed, the company jointly determined the purposes and means of processing, since the company itself embedded the button in order for its visibility and the visibility of its goods on the social network to be optimised.
The fact that the company itself did not have access to the personal data was considered irrelevant. However, the Court emphasised that the company could not be held responsible for all subsequent processing by Facebook after the transmission of the data through the “Like” button.
The role of a company under the data protection legislation (individual controller, joint controller or processor) is crucial for its obligations. The qualification as joint controller implies several obligations for the operator of the website, such as:
- Arrangement: the operator of the website and Facebook must make an arrangement between themselves concerning their respective responsibilities, in particular regarding the exercise of rights and the obligation to provide information. It is to be expected that, following the judgment of the Court of Justice, Facebook will work on a template agreement to this effect (as it did when the Court of Justice ruled in an earlier judgment that administrators of Facebook pages are also joint controllers).
- Information obligation: the operator of the website will have to inform its users in detail about the “Like” button and the data processing in this respect;
- Consent: under the e-Privacy legislation, the use of the “Like” button seems to require the explicit (GDPR-compliant) consent of the users, especially if the button is used to transmit data from non-members of Facebook. This is also the position of the Belgian Data Protection Authority.
The Court of Justice has not explicitly ruled on this, but does state that any consent must be obtained by the operator of the website (and not by Facebook), prior to the collection or transfer of the data.
The impact of the judgment of the Court of Justice does not seem to be limited to the “Like” button of Facebook. In our view, the same principles can be applied to all features (plug-ins, widgets etc.) of third parties on a website, insofar as the website operator jointly determines the purposes and means of processing.
Action point
"Third-party check"
Operators of websites or other online services (such as apps) must check:
- Which external features of third parties are embedded
- The role they play in relation to the third parties and whether they should make arrangements with them
- Whether they properly comply with all other data protection obligations, in particular whether they correctly inform users about the processing of their personal data and whether they request (if required) a GDPR-compliant consent prior to the processing.