Plugins from social media platforms “Like” Facebook can trigger joint controllership

To many consumer-facing businesses, it’s something of a no-brainer to include in their websites social media plugins such as those offered by global platforms like Facebook and Twitter. After all, is there a cheaper and more innocuous way of marketing than by giving website visitors the opportunity to share the products they like with their social networks? Some may not have even realised there are data protection implications when it comes to such practices.

Step forward the Court of Justice for the European Union (CJEU), which in its judgment in Case C-2101 made clear that website operators do have data protection obligations in respect of such plugins, mainly acting as a joint controller with the third party plugin provider.

The case in question resulted from legal action taken by a German consumer organisation, Verbraucherzentrale, against Fashion ID, a German online fashion retailer, which alleged that Fashion ID’s use of the Facebook “Like” plugin infringed data protection laws. The interaction between the visitor’s browser and the “Like” plugin resulted in the visitor’s device IP address and certain technical data being transferred to Facebook before the visitor even decided whether to click the plugin link and irrespective of whether the visitor was a Facebook user. Of course, this technical data is likely to qualify as personal data under EU data protection laws.

CJEU ruling

Having decided that Verbraucherzentrale had the right to bring the action against Fashion ID, the CJEU held that Fashion ID and Facebook operated as joint controllers with respect to the collection and transmission of personal data from the website to Facebook. Fashion ID was a controller despite that fact that it had no influence over the processing of the data transmitted to Facebook and could not control what data was transferred.

The embedding of the “Like” button on the Fashion ID website allowed the company to promote its products more effectively on Facebook, and its consent to the button on its website was surely down to the commercial benefit it could accrue from the use of the button. As a result, the processing was carried out in the economic interests of both parties. The CJEU clarified that joint controllership does not necessarily mean that each controller has equal responsibility for the processing, and each may have responsibility for activities undertaken at various stages of the processing.

As joint controllers, each of Fashion ID and Facebook would require a legal basis for their processing under the arrangement, even in respect of the disclosure from Fashion ID to Facebook. However, it was possible that the “Like” plugin facilitated Facebook’s access to visitors’ device information, which may also trigger requirements under the ePrivacy Directive (Directive 2002/58), meaning visitors would need to be provided with clear and comprehensive information about the processing in line with the DP Directive (Directive 95/46/EC), and must consent to the collection and transmission of the data. While the CJEU did not consider the application of  the ePrivacy Directive, it did consider who was responsible under the DP Directive for providing fair processing information and, in the event that consent is required, obtaining that consent, and held that it was Fashion ID’s responsibility, as the website operator.  This was on account of the fact that consent was required prior to any collection or transmission of data. However, this would only apply to processing in respect of which Fashion ID actually determined the purposes and means.

Key takeaways

Although the Fashion ID case considered the processing arrangements under the now defunct DP Directive, the principles the CJEU considered remain applicable to processing undertaken under the GDPR and provide useful guidance in respect of controllership and the allocation of responsibility and liability in joint controllership arrangements:

• controllership is a broad concept and the lack of physical control over processing of personal data does not preclude an organisation from being held to be a controller of that personal data;
• joint controllers require a legal basis for the transfer of personal data to other controllers of the same data, and if that basis is legitimate interests, each must separately satisfy the legitimate interests test;
• In joint controllership arrangements, liability of each controller only extends to the operation or set of operations within a chain of processing for which that controller actually plays apart in determination of the purposes and means of processing.
• Controllers who wish to capitalise on the opportunities presented by third party website plugins from companies such as Facebook and Twitter should consider the following additional points:
• the embedding of a third party plugin will likely result in joint controllership with the plugin provider, irrespective of how distant the relationship between the parties is;
• website operators embedding social media plugins in their websites must ensure
  • proper fair processing information is provided to users in respect of the plugin’s processing operations, and
  • where consent is required, as may be the case in respect of compliance with ePrivacy laws in respect of the collection and transmission of data to the plugin provider.