Facebook LIKE button renders the website operator and Facebook joint data controllers according to the opinion of the ECJ Advocate General.
Here is another position that will lead to considerable discussions as to treatment under the EU Data Protection Directive 95/46 (and therefore on a regime prior to the GDPR) of the website operator and Facebook as to the processing of personal data collected by means of a Facebook LIKE button plugin which was subject of the opinion of the Advocate General of the European Court of Justice, Michal Bobek.
The Facebook “LIKE” button case
Fashion ID GmbH & Co. KG is an online retailer which sells fashion items. It embedded a plug-in in its website: Facebook’s Like button. As a result, when a user lands on Fashion ID’s website, information about that user’s IP address and browser string is transferred to Facebook. That transfer occurs automatically when Fashion ID’s website has loaded, irrespective of whether the user has clicked on the LIKE button and whether or not he has a Facebook account.
Verbraucherzentrale NRW e.V, a German consumer protection association, brought legal proceedings for an injunction against Fashion ID on the ground that the use of that plug-in results in a breach of data protection legislation.
The opinion of the Advocate General of the Facebook Like case and why there are joint data controllers
The Advocate General in its opinion (that is not binding for the European Court of Justice) held the following:
1. National legislation is not precluded to grant a consumer association to bring actions against an alleged infringer of data protection laws
This rights is expressly provided by the GDPR which states in article 80 that “The data subject shall have the right to mandate a not-for-profit body, organisation or association [—] with regard to the protection of their personal data to lodge the complaint on his or her behalf“.
Such change is a major innovation because it introduces a sort of “class action” under the GDPR. And this provision has been implemented in countries like France with even a broader scope as you can appreciate from the article of my French colleagues here (“France – Facebook could face a € 100 million class action suit for violating GDPR“).
2. Website operator and Facebook as joint data controllers due to the LIKE functionality, but its liability is limited
The ECJ Advocate General refers to the previous decisions of the European Court of Justice in
- the Wirtschaftsakademie Schleswig-Holstein case which I had summarized in a previous post (See article “Facebook fan page admin liable for its privacy compliance“) and in which the Court held for the joint controllership due to contribution by the Facebook Page admin to the “determination of the parameters” of the page; and
- the Jehovan todistajat case where the court held that in order to have joint control and joint responsibility, it is not required that each of the controllers must have access to (all of) the personal data concerned.
Based on the above, it holds that since the decision by the website operator to publish the LIKE plugin on the site allowed the collection of personal data by Facebook, they are joint data controllers. But since the website operator is only involved at the stage of collection and transmission of personal data, its role as a controller and its liability is limited to such phase.
This is a very broad interpretation whose compliance with the GDPR is at least uncertain since the EU Data Protection Regulation refers more specifically to the requirement of joint controllership to “Where two or more controllers jointly determine the purposes and means of processing“, so giving the impression the threshold to be met is higher, but the position of the ECJ Advocate General seems to imply that according to his view the scenario is not different under the GDPR, without giving many explanations.
3. The legitimate interest balancing test requires the legitimate interests of not only the website operator, but also of Facebook to be taken into account
The legitimate interest balancing test is the requirement necessary to ensure that legitimate interest can operate as legal basis of the data processing (Reed on the topic “Legitimate interest and privacy consent, how to use them under the GDPR?“).
Since according to the ECJ Advocate General, the website operator and Facebook are joint data controllers in relation to the collection and transfer of data through the LIKE functionality, both their interests have to be taken into account for the purposes of the balancing test.
This is valid point of the Advocate General if you follow his reasoning, but it does not take into account of the reality of the facts and that such balancing test is likely to be run by the website operator, assessing Facebook’s interests on the basis of mere assumptions, without having any sort of joint controllership agreement with the social media.
4. The privacy information notice shall be provided by the website operator that shall also obtain the individual’s consent
The ECJ Advocate General provides that website operator is liable to
- obtain consent from the individuals, regardless of whether they are Facebook users and such consent shall be obtained prior to the beginning of the transfer; and
- provide the required privacy information notice.
The views above seem to make sense, but do not clarify whether legitimate interest has to be actually required or the legitimate interest can operate as a valid alternative to that on the basis of a balancing test whose terms shall be assessed only by the operator.
This opinion leaves a number of “grey” areas to be assessed. Are agreements relating to the role of joint controllers between Facebook and website operators really going to be entered as to the LIKE plugin? Even if such agreements are entered, will they give any type of control to operators on the negotiation? Is the opinion not taking into account what happens in reality? We will see the position of the ECJ on the matter which is expected in the coming months. As mentioned above, you may find interesting on the same topic this article “Facebook fan page admin liable for its privacy compliance“.
If you found this article interesting, share it on your favourite social media and register to our newsletter. Also don’t forget to try Prisca our GDPR chatbot described HERE