EU Court Determines Responsibility for Social Plug-ins on Website

Key Takeaways

• Website operators that use a plug-in to embed Facebook’s “Like” button on their websites can be “data controllers” and are jointly responsible for the data collected by those plug-ins and sent to Facebook. 
• As long as a website operator has a role in determining the purposes and means of processing, the website operator may be a controller even if it does not have access to the personal data collected and transmitted to the other party. 
• Website operators are not responsible for subsequent uses of visitors’ personal data by Facebook.
• This decision has far-reaching effects in determining who is liable for the routine integrations that occur on practically every website. The implications of the decision might not be limited to embedded third-party plug-ins. For example, the rationale for the decision could be applied in the context of other advertising technologies (e.g., cookies, pixel tags or mobile SDKs), which could have major implications for the advertising technology industry. 
• As a result of this ruling, website operators that use Facebook plug-ins need to take action to update their privacy policies, in order to inform visitors that their personal data is being collected and transmitted to Facebook through the “Like” button and potentially to obtain consent. 
• Website operators that integrate Facebook plug-ins for European targeted sites may need to both agree to joint-controller terms with Facebook and meet other obligations under the EU General Data Protection Regulation (GDPR).

Summary of the Case

In FashionID GmbH & Co. KG v. Verbraucherzentrale NRW, German consumer protection group Verbraucherzentrale brought a lawsuit against online clothing retailer FashionID over its use of Facebook’s “Like” button on its websites. Visitors to these websites can “like” clothing or accessories available on the sites, which would then share the image of those items on Facebook. FashionID allegedly configured the Facebook “Like” plug-in so that it automatically transferred data—in this case, IP addresses and browser strings—about all visitors to FashionID’s websites to Facebook as soon as the websites loaded on their device, regardless of whether a visitor used the “Like” button or was logged in to Facebook. Verbraucherzentrale asserted that this was in violation of EU data protection legislation. 

After the case reached the High Court of Germany on appeal, the court referred the case to the European Court of Justice to make a preliminary ruling on (1) whether a website operator was a controller when embedding a third-party plug-in that collected and transmitted personal data; and (2) if so, what obligations the website operator had regarding establishing a legal basis and providing notice to the end user in relation to use of such a plug-in. 

The ECJ Decision

Website Operators and Plug-in Providers Are Joint Controllers (for Certain Operations)

The ECJ clarified the test for determining whether an organization is a controller (including a joint controller). A company is a controller only in respect of operations involving the processing of personal data for which it determines the purposes and means but cannot be a controller of operations that precede or follow in the overall chain of processing and for which that company does not determine either the purposes or the means.

By integrating the Facebook “Like” button on its website, FashionID made it possible for Facebook to obtain personal data of visitors to its website and was capable of determining, jointly with Facebook, the purposes and means of this data processing. Therefore, the ECJ concluded that FashionID was a controller, jointly with Facebook, with respect to the collection of personal data and its transmission to Facebook. The court determined that both parties were joint controllers, since each party could be responsible for the stage of processing in which it was involved. Both FashionID and Facebook determined the commercial purposes of the use of the “Like” button, and both participated in the means of processing, collection and transmission of data—FashionID by using the “Like” button plug-in, and Facebook by providing it. However, the ECJ suggested there could be further “phases” of processing by Facebook for which FashionID is not jointly responsible, since it would appear to be impossible that FashionID determined the purposes and means of these additional data processing activities.

Legal Basis, Notice and Consent Requirements

FashionID’s classification as a joint controller for limited purposes raised questions of which entity—the website operator that uses the plug-in or the provider of the plug-in—has the duty to inform the visitor, and which is responsible for obtaining consent. 

The ECJ held that each joint controller must have a valid, legitimate interest if it wishes to rely on this legal basis for data collection and transmission through the plug-in. However, the ECJ left it to the referring court to confirm whether Article 5(3) of the ePrivacy Directive—which requires consent to be obtained for the use of technologies that store information, or that gain access to information stored, on a user’s device—applies in this case.

The ECJ stated that where the joint controllers are relying on consent as their legal basis, they must obtain such consent prior to any data collection or transmission through the plug-in. Accordingly, the ECJ determined that it is for the website operator rather than the plug-in provider to provide notice of the plug-in’s operations and to obtain that consent, since the processing operations are triggered when the end user visits the website.

However, the website operator does not need to obtain consent or provide notice for any other operations where it is not a controller (such as subsequent processing carried out by the plug-in provider).

Action Items for Publishers and Plug-in Providers

1. Update privacy policies. Organizations must provide website users with notice of the processing and of the arrangement regarding the responsibilities of joint controllers, in order to satisfy the GDPR’s transparency obligations.
   
2. Revise contracts. The GDPR requires that organizations revise their contractual agreements to reflect the scope of joint controllership and respective responsibilities. Ensure legal responsibility is delineated in agreements with third parties whose plug-ins are deployed on the website. 
   
3. Identify an appropriate legal basis for joint processing operations. If legitimate interests are relied upon as the legal basis, it is important to remember that a “Legitimate Interests Assessment” should be conducted and documented. However, note that in certain cases the ePrivacy Directive may not allow reliance on legitimate interests.
   
4. Understand the implications of this case for Ad Tech. Though this case concerned a social media plug-in, the ruling could be extended to apply when website operators use other advertising technologies. A Facebook plug-in is in many ways similar to other cookies, pixels, tags, scripts and other third-party code or content that routinely gets integrated into websites and collects personal data. A finding that Facebook plug-ins require user consent could potentially spread to other common integrations, such as other social media pixels, tags or third-party cookies used for audience tracking, targeting and attribution. As such, website operators and their Ad Tech partners may need to take certain steps to ensure that processing is in line with the FashionID ruling and the subsequent rulings that will be released related to this case.