On July 29, 2019, the Court of Justice of the European Union (“CJEU”) handed down its judgment in the Fashion ID case (Case C-40/17). The CJEU found that when a website operator embeds Facebook’s “Like” button on its website, Facebook and the website operator become joint controllers. The case clarifies the relationship between website operators and social networking sites whose plug-ins are embedded into websites for user tracking and online marketing purposes. The ruling is expected to influence the contractual terms that companies will need to have in place when embedding such social plug-ins to their websites, and may also have ramifications for adtech practices more generally.
The Fashion ID case arose out of a 2015 complaint made by a German consumer protection association, Verbraucherzentrale NRW, against an online clothes retailer, Fashion ID, which embedded Facebook’s “Like” button on its website. Facebook’s “Like” button is a social plug-in that allows website users to click the “Like” button to show on their Facebook profile that they “like” a certain product or service. Websites use this plug-in to optimize their advertising on Facebook so that targeted ads can be shown to people who “like” their products.
Websites with the “Like” button collect information (e.g., IP addresses and browser string data) about not only the people who click the “Like” button, but also other website users who do not click the button, as well as those that do not have a Facebook account. This data is then transferred to Facebook.
The complaint filed by Verbraucherzentrale NRW alleged that Fashion ID’s use of the Facebook “Like” button breached EU data protection law because Fashion ID failed to appropriately inform users and obtain their consent to transfer personal data to Facebook. The complainant sought an injunction by the court to order Fashion ID to stop using the functionality.
The Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf,
Germany) referred the matter up to the CJEU, asking a number of questions seeking clarification as to several provisions of the Data Protection Directive 95/46/EC (which continue to have relevance under the EU’s General Data Protection Regulation), most notably:
- Can Member State laws implementing the Data Protection Directive allow consumer protection organisations to lodge data protection claims on behalf of affected individuals?
The CJEU decided that the provisions of the Data Protection Directive on “judicial remedies, liability and sanctions” give Member States the freedom to determine the “appropriate means” to ensure their application, which could extend to allowing consumer protection organizations to act on behalf of individuals whose data privacy rights have been impinged. The CJEU also mentioned that this redress mechanism is now explicitly provided for under Art. 80 of the GDPR.
- Is the website (i.e., Fashion ID) a “joint controller” in relation to the data that Facebook collects about users?
Significantly, the CJEU decided that Fashion ID and Facebook are “joint controllers” in relation to Facebook’s collection and sharing of personal data. According to the CJEU, by embedding the plug-in on its website, Fashion ID is “influencing” the collection and sharing of data and is “at least tacitly” consenting to it. The CJEU decided that Fashion ID’s responsibility is most apparent in situations where users do not have an account with Facebook, but their data is nonetheless shared with Facebook as a result of accessing Fashion ID’s website. The CJEU also determined that Fashion ID’s lack of access to the data is irrelevant when assessing “joint controllership” (consistent with earlier CJEU cases C-210/16 and C-25/17).
However, the CJEU clarified that although the term “controller” should be given a broad interpretation, an organization cannot be held responsible for upstream or downstream processing operations in the processing chain for which it does not determine the purpose or the means of processing. In this regard, the CJEU held that Facebook (not Fashion ID) is the controller for the processing that takes place after the personal data related to the “Like” plug-in has been transferred to Facebook.
- Can Fashion ID and Facebook rely on their legitimate interests to collect and share personal data?
The CJEU did not give a clear answer to this question, but merely stated that both Fashion ID and Facebook would need to establish a legitimate interest, if they were intending to rely on this legal basis.
- Who has responsibility to (i) provide notice to users about how the data is collected and used and (ii) to collect consent from the users?
The CJEU decided that it is the website operator’s responsibility to provide notice to users and to obtain their consent. However, the website operator only needs to inform users and obtain their consent for processing operations for which it is a “joint controller”.
This ruling mirrors the court’s findings in the Wirtschaftsakademie case (Case C-210/16), where the CJEU found that Wirtschaftsakademie, which offers educational services through a fan page hosted on Facebook, was a joint controller with Facebook for the processing of user website usage data through the “Facebook Insights” tool. The CJEU’s reasoning in both cases provides useful guidance on how the court identifies “controllers” and “joint controllers” in data sharing relationships. The CJEU’s findings suggest that companies using third party tools (e.g., cookies, plug-ins and other website analytics tools) to increase their online visibility may need to ramp up their disclosures to website users and strengthen the contractual terms they have in place with their advertising partners.