DATA PROTECTION
EU Court of Justice: the operator of a website embedding a third party plugin such as the Facebook Like button, which causes the collection and transmission of the users’ personal data, is jointly responsible for that stage of the data processing.
Fashion ID is a German online retailer which sells fashion items. It embedded a plugin on its website: Facebook’s ‘Like’ button. As a result, when a user lands on Fashion ID’s website, information about that user’s IP address and browser string is transferred to Facebook. That transfer occurs automatically when Fashion ID’s website has loaded, irrespective of whether the user has clicked on the Like button and whether or not he has a Facebook account.
Verbraucherzentrale NRW, a German association defending the interests of consumers, brought legal proceedings for an injunction against Fashion ID on the ground that the use of the Facebook Like button results in a breach of data protection legislation.
Seized of the case, the Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf, Germany) seeks the interpretation of several provisions of the former Data-Protection-Directive of 19951 (which remains applicable to this case, but has been replaced by the new General Data Protection Regulation of 20162 with effect from 25 May 2018).
In today’s opinion, Advocate General Michal Bobek proposes to the Court of Justice to rule, first, that the directive does not preclude national legislation which grants public-service associations standing to commence legal proceedings against the alleged infringer of data protection legislation in order to safeguard the interests of consumers.
The Advocate General then proposes to rule that under the Data-Protection-Directive the operator of a website (such as Fashion ID) who has embedded on its website a third-party plugin (such as the Facebook Like button), which causes the collection and transmission of the user’s personal data, shall be considered to be a joint controller, along with such third party (here Facebook Ireland).
However, that controller’s (joint) responsibility should be limited to those operations for which it effectively co-decides on the means and purposes of the processing of the personal data.
That means that a (joint) controller is responsible for that operation or set of operations for which it shares or co-determines the purposes and means as far as a given processing operation is concerned. By contrast, that person cannot be held liable for either the previous and later stages of the overall chain of processing, for which it was not in a position to determine either the purposes or means.
On the facts in the present case, it thus appears that Fashion ID and Facebook Ireland co-decide on the means and purposes of the data processing at the stage of the collection and transmission of the personal data at issue. Subject to the referring court’s verification, both Facebook Ireland and Fashion ID appear to have voluntarily caused the collection and transmission stage of the data processing and albeit not identical, there is unity of purpose: there is a commercial and advertising purpose (Fashion ID’s decision to embed the Facebook Like button on its website appears to be inspired by the wish to increase visibility of its products via the social network).
Therefore, with respect to the collection and transmission stage of the data processing, Fashion ID acts as a controller and its liability is, to that extent, joint with that of Facebook Ireland.
As regards the legitimacy of the processing of personal data in the absence of the website user’s consent3, the Advocate General recalls that such processing is lawful under the directive in particular if three cumulative conditions are fulfilled: first, the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed; second, the need to process personal data for the purposes of the legitimate interests pursued; and third, that the fundamental rights and freedoms of the person concerned by the data protection do not take precedence.
In this respect, the Advocate General proposes to the Court to rule that the legitimate interests of both joint controllers at issue (Fashion ID and Facebook Ireland) have to be taken into account and balanced against the rights of the users of the website.
The Advocate General also proposes to rule that the consent of the website user, where required, has to be given to the operator of the website (Fashion ID) that has embedded the content of a third party. Likewise the obligation to provide the website user with the required minimum information applies to the operator of the website (Fashion ID).
The Judges of the Court are now beginning their deliberations in this case. Judgment will be given at a later date.
Verbraucherzentrale NRW, a German association defending the interests of consumers, brought legal proceedings for an injunction against Fashion ID on the ground that the use of the Facebook Like button results in a breach of data protection legislation.
Seized of the case, the Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf, Germany) seeks the interpretation of several provisions of the former Data-Protection-Directive of 19951 (which remains applicable to this case, but has been replaced by the new General Data Protection Regulation of 20162 with effect from 25 May 2018).
In today’s opinion, Advocate General Michal Bobek proposes to the Court of Justice to rule, first, that the directive does not preclude national legislation which grants public-service associations standing to commence legal proceedings against the alleged infringer of data protection legislation in order to safeguard the interests of consumers.
The Advocate General then proposes to rule that under the Data-Protection-Directive the operator of a website (such as Fashion ID) who has embedded on its website a third-party plugin (such as the Facebook Like button), which causes the collection and transmission of the user’s personal data, shall be considered to be a joint controller, along with such third party (here Facebook Ireland).
However, that controller’s (joint) responsibility should be limited to those operations for which it effectively co-decides on the means and purposes of the processing of the personal data.
That means that a (joint) controller is responsible for that operation or set of operations for which it shares or co-determines the purposes and means as far as a given processing operation is concerned. By contrast, that person cannot be held liable for either the previous and later stages of the overall chain of processing, for which it was not in a position to determine either the purposes or means.
On the facts in the present case, it thus appears that Fashion ID and Facebook Ireland co-decide on the means and purposes of the data processing at the stage of the collection and transmission of the personal data at issue. Subject to the referring court’s verification, both Facebook Ireland and Fashion ID appear to have voluntarily caused the collection and transmission stage of the data processing and albeit not identical, there is unity of purpose: there is a commercial and advertising purpose (Fashion ID’s decision to embed the Facebook Like button on its website appears to be inspired by the wish to increase visibility of its products via the social network).
Therefore, with respect to the collection and transmission stage of the data processing, Fashion ID acts as a controller and its liability is, to that extent, joint with that of Facebook Ireland.
As regards the legitimacy of the processing of personal data in the absence of the website user’s consent3, the Advocate General recalls that such processing is lawful under the directive in particular if three cumulative conditions are fulfilled: first, the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed; second, the need to process personal data for the purposes of the legitimate interests pursued; and third, that the fundamental rights and freedoms of the person concerned by the data protection do not take precedence.
In this respect, the Advocate General proposes to the Court to rule that the legitimate interests of both joint controllers at issue (Fashion ID and Facebook Ireland) have to be taken into account and balanced against the rights of the users of the website.
The Advocate General also proposes to rule that the consent of the website user, where required, has to be given to the operator of the website (Fashion ID) that has embedded the content of a third party. Likewise the obligation to provide the website user with the required minimum information applies to the operator of the website (Fashion ID).
The Judges of the Court are now beginning their deliberations in this case. Judgment will be given at a later date.
