At the end of July, the European Court of Justice (ECJ) ruled in case no. C-40/17 (“Fashion ID Case”), which dealt with the interpretation of the concept of data controller and the issue of joint data processing. The basic question to be clarified was the role of the website operator and Facebook in connection with the placement of the Facebook’s "Like" button on webpages and the data processing related to the use of the "Like" button.

It can be recalled that last summer, the ECJ ruled, in case no. C-210/16 (“Wirtschaftsakademie Schleswig Holstein Case”), that the operator of a Facebook fan page and Facebook shall be considered as joint controllers: "the concept of ‘controller’ within the meaning of that provision encompasses the administrator of a fan page hosted on a social network."

The case

Fashion ID, an online clothing retailer, embedded on its website the ‘Like’ social plugin from the social network Facebook (“the Facebook “Like” button”). “If a website operator intends to embed such third-party content, he places a link to the external content on that website. When the browser of a visitor to that website encounters such a link, it requests the content from the third-party provider and adds it to the appearance of the website at the desired place. For this to occur, the browser transmits to the server of the third-party provider the IP address of that visitor’s computer, as well as the browser’s technical data, so that the server can establish the format in which the content is to be delivered to that address. In addition, the browser transmits information relating to the desired content. The operator of a website embedding third-party content onto that website cannot control what data the browser transmits or what the third-party provider does with those data, in particular whether it decides to save and use them.” (Point 26 of the judgment)

In case of the use of the Facebook “Like” button, “[…] when a visitor consults the website of Fashion ID, that visitor’s personal data are transmitted to Facebook Ireland as a result of that website including that button. It seems that that transmission occurs without that visitor being aware of it regardless of whether or not he or she is a member of the social network Facebook or has clicked on the Facebook ‘Like’ button.” (Point 27 of the judgment)

In addition to clarifying whether public-service associations have the power to take action against the infringer in the event of an infringement in order to safeguard the interests of consumers, the questions raised were essentially about the position of website operator similar to Fashion ID, who has embedded a programming code in his website which causes the user’s browser to request content from a third party and, to this end, transmits personal data to the third party, i.e. whether the person embedding the content can be regarded as the “controller” “if that person is himself unable to influence this data-processing operation.” The questions also related to the issue that in case, Fashion ID could not be classified as a data controller, Directive no. 95/46 (the case was initiated before the GDPR became applicable) to be interpreted in a manner that it definitively regulates liability and responsibility in such a way that it precludes civil claims against a third party who, although not a “controller”, nonetheless creates the cause for the processing operation, without influencing it (according to the national court, German ID may establish Fashion ID's liability as 'Störer')? The referring court also inquired as to whose legitimate interest is the decisive one in the balancing of interests to be undertaken (the interest of the one embedding third-party content or the interests of the third party)? It was also asked to whom must the consent to be given in a situation such as that in the present case?

Does the website operator qualify as a data controller if he embeds the "Like" button in his website?

The ECJ has noted that, in order to ensure a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, the concept of ‘controller’ shall be interpreted broadly.

The Court also stated (in line with its former practice) that “[…] the joint responsibility of several actors for the same processing, under that provision, does not require each of them to have access to the personal data concerned” (Point 69 of the judgment). However, “[…] the existence of joint liability does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data” (Point 70 of the judgment).  

In connection with the determination of the means of data processing, the ECJ concluded that, subject to the investigations that it is for the referring court to carry out in this respect,

[…] Facebook Ireland and Fashion ID determine jointly the means at the origin of the operations involving the collection and disclosure by transmission of the personal data of visitors to Fashion ID’s website. (Point 79 of the judgment)

The above statement of the ECJ was based on the followings:

• “[…] by embedding on its website the Facebook ‘Like’ button, Fashion ID appears to have made it possible for Facebook Ireland to obtain personal data of visitors to its website and that such a possibility is triggered as soon as the visitor consults that website, regardless of whether or not the visitor is a member of the social network Facebook, has clicked on the Facebook ‘Like’ button or is aware of such an operation” (Point 75 of the judgment);
• the operations involving the processing of personal data in respect of which Fashion ID is capable of determining, jointly with Facebook Ireland, the purposes and means, shall qualify as data processing (the collection and disclosure by transmission of the personal data of visitors to its website);
• by contrast, in the light of that information, it seems, at the outset, impossible that Fashion ID determines the purposes and means of subsequent operations involving the processing of personal data carried out by Facebook Ireland after their transmission to the latter, meaning that Fashion ID cannot be considered to be a controller in respect of those operations (Point 76 of the judgment);
• Fashion ID appears to have embedded on its website the Facebook ‘Like’ button made available to website operators by Facebook Ireland while fully aware of the fact that it serves as a tool for the collection and disclosure by transmission of the personal data of visitors to that website, regardless of whether or not the visitors are members of the social network Facebook (Point 77 of the judgment);
• “[…] by embedding that social plugin on its website, Fashion ID exerts a decisive influence over the collection and transmission of the personal data of visitors to that website to the provider of that plugin, Facebook Ireland, which would not have occurred without that plugin” (Point 78 of the judgment).

 In connection with the determination of the purposes of data processing, the ECJ concluded that

[…] Fashion ID and Facebook Ireland determine jointly the purposes of the operations involving the collection and disclosure by transmission of the personal data at issue in the main proceedings. (Point 81 of the judgment).

The joint determination of purposes is based on the fact that “[…] it appears that Fashion ID’s embedding of the Facebook ‘Like’ button on its website allows it to optimise the publicity of its goods by making them more visible on the social network Facebook when a visitor to its website clicks on that button. The reason why Fashion ID seems to have consented, at least implicitly, to the collection and disclosure by transmission of the personal data of visitors to its website by embedding such a plugin on that website is in order to benefit from the commercial advantage consisting in increased publicity for its goods; those processing operations are performed in the economic interests of both Fashion ID and Facebook Ireland, for whom the fact that it can use those data for its own commercial purposes is the consideration for the benefit to Fashion ID.” (Point 80 of the judgment).

The ECJ summarized in its judgment that “[…] the operator of a website, such as Fashion ID, that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider the personal data of the visitor can be considered to be a controller […]. That liability is, however, limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue.” (Point 85 of the judgment)

In its response to the question regarding the legitimate interest, the ECJ stated that “[…] it is necessary that that operator and that provider each pursue a legitimate interest” (Point 97 of the judgment).  

As the obtaining of the consent and the information obligation are concerned, the consent must be obtained and the information must be provided by that operator only with regard to the operation or set of operations involving the processing of personal data in respect of which that operator determines the purposes and means (Point 106 of the judgment.

How the situation has been changed by the GDPR?

The judgment is based on the interpretation of Directive 95/46, but its findings are also applicable to the GDPR, since the terms of the Directive and the Regulation have substantially the same meaning. The GDPR expands the rules on joint data processing compared to the Directive (see Article 26 of the Regulation), so website operators and social media module providers (including Facebook, Twitter, LinkedIn, etc.) should also comply with these provisions.

In addition to the GDPR, the emerging e-Privacy Regulation will also play a role in determining the obligations of data controllers in situations such as the Fashion ID case. Until the adoption of the e-Privacy Regulation, national legislation implementing the rules of Directive 2002/58/EC, as amended by Directive 2009/136/EC, governs the way data is stored and accessed by service providers in the user's terminal equipment. (The use of cookies has recently come under the scrutiny of several data protection authorities, in particular the guidelines issued by the French and UK authorities have been widely discussed.)

What effects can the judgment have?

The Fashion ID judgment (also taking into account the findings in the Wirtschaftsakademie Schleswig-Holstein Case) can have a significant impact on the relationship between website operators and social media service providers and other third parties (e.g. online advertising market players). In addition, an important lesson to be learned is the broad interpretation of the concept of controller and the conclusion that the parties shall be regarded as joint controllers. There may be many situations in the future where the decision as to whether the means and purpose of data processing has been jointly determined may be based on the criteria used in the Fashion ID case.

Agreements between joint controllers pursuant to Article 26 of the GDPR shall be concluded and the relevant information to the data subjects shall be provided (in particular, by the party, who is in direct contact with data subjects, i.e. in cases like Fashion ID case, the operator of the website). The sample agreement and the information template on joint data processing drawn up by the Data Protection Authority of Baden-Württemberg may also help controllers to comply with the obligations of joint controllers.