Norton Rose Fulbright - Data Protection Report blog

On 29 July 2019, the European Court of Justice (ECJ) issued its judgement on Case C-40/17 (the “Fashion-ID” case). In its ruling, the ECJ held that operators of websites embedding Facebook’s “Like” button act as data controllers jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to the relevant websites. In relation to these processing activities, the website operators must inform their website visitors about the data processing activities for which they act as a joint controller with Facebook, must establish a lawful basis for these processing activities and, where applicable, must collect relevant consent from the website visitor.

The Case:

Fashion ID GmbH & Co.KG (Fashion ID), a German online clothing retailer, embedded Facebook’s “Like” button plugin on its website. This meant that the personal data of a visitor to Fashion ID’s website (including the visitor’s IP address and browser technical data) was transferred back to Facebook without the visitor’s awareness, regardless of whether or not the visitor had interacted with the “Like”, button or were members of Facebook.

The German consumer-protection association of North Rhine-Westphalia (Verbraucherzentrale NRW) brought proceeding against Fashion ID for transmitting this personal data to Facebook without the website visitors’ consent and without providing the visitors with adequate information about this data processing activity. The Higher Regional Court (Oberlandesgericht)  Düsseldorf, which is hearing the dispute, submitted this case to the ECJ for preliminary ruling. The key question put to the ECJ was whether Fashion ID can be considered a data controller, particularly given that Fashion ID cannot control what data the browser transmits to Facebook and what Facebook subsequently does with this data.

The ECJ held that Fashion ID can be considered to be a controller jointly with Facebook in respect of the collection and disclosure by transmission to Facebook of the personal data of the visitors of its website. It considered that Fashion ID and Facebook jointly determine the means and purposes of those operations for the following reasons:

  • Fashion ID enabled Facebook to obtain personal data of the visitors by deployment of the “Like” button on its website.
  • Fashion ID was aware that Facebook used the “Like” button to collect data of the visitors to its website, regardless of whether they interacted with the button, or were members of the social network, or not. The fact that Fashion ID did not have access to, or control, the personal data collected by Facebook did not affect this (the ECJ reiterated that joint controllership can arise even if one party does not have access to the personal data transmitted to the other party, as established in previous case law (Wirtschaftsakademie Schleswig-Holstein, C‑210/16; and Jehovan todistajat, C‑25/17).
  • Fashion ID was also aware that the “Like” button allowed for the optimisation of its advertising, as advertisements for its products were displayed more prominently on Facebook when a visitor of its website clicked the “Like” button. Therefore, the personal data collection and subsequent transmission appeared to be conducted in the economic interests both of Fashion ID and of Facebook.

As a result of this analysis, the ECJ held that website operators using social plugins (such as  Fashion ID) are responsible for providing appropriate fair processing information to their website visitors about how personal data is collected and transferred to applicable plugin providers (such as Facebook). To the extent that a plugin provider gains access to data within a website visitor’s terminal equipment (which requires consent under the ePrivacy rules), the website operator would also be responsible for obtaining the required consent from website visitor, as the visitor navigating to the website is ultimately what triggers the need for consent.

However, the ECJ held that Fashion ID is not a data controller in respect of the data processing activities carried out by Facebook after the personal data had been transmitted to Facebook. Therefore, website operators are not responsible for data protection compliance with respect to these later processing activities and responsibility remains solely with Facebook.

Our Take:

The case continues to reflect the broad approach that the ECJ takes to controllership and joint controllership and has implications that likely extend beyond the specific Facebook “Like” button and apply to third-party integrations on websites that collect personal data. This was reflected in the UK Information Commissioner’s recently updated cookies guidance.

As a result of this case, many website operators will need to amend their privacy or cookies policies  to provide their website visitors with further information about the collection and transmission of personal data by the plugins of third parties, including the identity of the relevant third parties and the purposes for which any data collected is processed by them.

In this case, the ECJ left it to the referring court, the Higher Regional Court Düsseldorf, to determine whether Facebook gains access to information stored in the terminal equipment of website users and therefore requires prior consent from the website visitors in accordance with Article 5 (3) of the e-Privacy Directive.

However, more generally, where such consent is needed (which we consider will generally be the case), the ECJ makes it clear that it is the responsibility of the website operator to obtain this consent. This means that website operators will also need to re-visit their consent mechanism to cover the use of such plugins.