Facebook LIKE button creates joint data controllers and uncertainties

Facebook LIKE button renders the website operator and Facebook joint data controllers according to the ECJ leading to uncertainties in relation to the proper handling of any plugin and third-party cookie under data protection law.

Here is another position that will lead to considerable discussions as to treatment under the EU Data Protection Directive 95/46 (and therefore on a regime prior to the GDPR) of the website operator and Facebook as to the processing of personal data collected by means of a Facebook LIKE button plugin. The matter was subject of the opinion of the Advocate General of the European Court of Justice, Michal Bobek and now the European Court of Justice issued its decision on the Fashion ID case.

The Facebook “LIKE” button case

Fashion ID GmbH & Co. KG is an online retailer which sells fashion items. It embedded a plug-in in its website, the Facebook’s Like button. As a result, when a user lands on Fashion ID’s website, information about that user’s IP address and browser string are transferred to Facebook. That transfer occurs automatically when Fashion ID’s website has loaded, irrespective of whether the user has clicked on the LIKE button and of whether or not he has a Facebook account. Also, this transfer of data happens without that visitor being aware of it.

Verbraucherzentrale NRW e.V, a German consumer protection association, brought legal proceedings for an injunction against Fashion ID on the ground that the use of that plug-in results in a breach of data protection legislation.

The decision of the European Court of Justice on the Facebook Like case and why there are joint data controllers

The European Court of Justice in its decision held the following:

1. National legislation is not precluded from granting a consumer association to bring actions against an alleged infringer of data protection laws

This right is expressly provided by the GDPR which states in article 80 that

“The data subject shall have the right to mandate a not-for-profit body, organisation or association [—] with regard to the protection of their personal data to lodge the complaint on his or her behalf“.

 

Such change is a significant innovation because it introduces a sort of “class action” under the GDPR. And this provision has been implemented in countries like France with even broader scope, as you can appreciate from the article of my French colleagues here (“France – Facebook could face a € 100 million class-action suit for violating GDPR“).

Despite the change provided by the GDPR, according to the European Court of Justice, it was not precluded, even under the EU Directive 95/46 in place prior to the GDPR, to an EU Member States to prescribe a right of consumer associations to bring claims for data protection law related matters.

2. Fashion ID and Facebook as joint data controllers due to the LIKE functionality but within limits

The European Court of Justice refers to its previous decisions in

• the Wirtschaftsakademie Schleswig-Holstein case which I had summarized in an earlier post (See the article “Facebook fan page admin liable for its privacy compliance“) and in which the Court held for the joint controllership due to the contribution by the Facebook Page admin to the “determination of the parameters” of the page; and
• the Jehovan todistajat case where the court held that to have joint control and joint responsibility, it is not required that each of the controllers must have access to (all of) the personal data concerned.

Based on the above, the ECJ held that since the decision by Fashion ID to publish the LIKE plugin on the site allowed the collection of personal data by Facebook, they are joint data controllers. But because the website operator is only involved in the collection and disclosure of personal data to Facebook, its role as a controller and its liability is limited to such phase. Facebook is, on the contrary, the sole data controller of the data processing activities performed after the transfer of data from Fashion ID.

This interpretation is quite broad. And interestingly, the court referred to the definition of joint controllers provided by the GDPR under which there is a joint controllership “Where two or more controllers jointly determine the purposes and means of processing“. Therefore, the question is whether a joint controllership can occur, regardless of any sort of agreement as to the modalities of the processing, but just because they both contribute to it. Such a conclusion would emphasize once again that the roles of the parties under a data protection law perspective are entirely independent of any arrangement between them. They cannot be the result of decisions of the parties but a situation de facto.

3. The legitimate interest needs to be of not only the website operator but also of Facebook

The court reminded that a balancing test necessary to maintain the existence of legitimate interest as a legal basis of the data processing requires

1. the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed;
2. the need to process personal data for the legitimate interests pursued; and
3. the condition that the fundamental rights and freedoms of the data subject whose data require protection do not take precedence.

Since according to the European Court of Justice, the website operator and Facebook are joint data controllers in the collection and transfer of data through the LIKE functionality, both their interests have to be taken into account for the purposes of the balancing test.

This point is valid if you follow their reasoning. But it does not take into account the reality of the facts. Such a balancing test is likely to be run only by the website operator, assessing Facebook’s interests on the basis of mere assumptions, without having any sort of joint controllership agreement with the social media.

You can read on the topic above the article “Legitimate interest and privacy consent, how to use them under the GDPR?“.

4. The privacy information notice shall be provided by the website operator that shall also obtain the individual’s consent

The ECJ provided that the website operator is liable to

• obtain consent from the individuals only to the collection and disclosure of personal data to Facebook, which are the data processing activities for which it determines the purposes. And such consent shall be obtained before the beginning of the transfer; and
• provide the privacy information notice concerning the above-mentioned the collection and disclosure of personal data.

The views above seem to make sense. But they do not clarify whether consent has to be required or the legitimate interest can operate as a valid alternative to that, based on a balancing test whose terms shall be assessed only by the operator.

My top 3 best practices in dealing with social media plugins and third party cookies

This decision leaves several “grey” areas to be assessed. Are agreements relating to the role of joint controllers between Facebook and website operators going to be entered as to the LIKE plugin? Even if such agreements are entered, will they give any control to operators on the negotiation? Is the opinion not taking into account what happens in reality?

My top three best practices in dealing with Facebook LIKE buttons are

1. The decision is not relevant only if your website uses the Facebook LIKE button, but it might apply to any social media plugin and in general any third-party cookie;
2. Before installing on your website a social media plugin and in general any tool transmitting data of the website users to third parties, ensure that this is tested by the IT department that gains a full understanding of what data are collected from users and transmitted to the social media as well as what activities performed with disclosed data by the social media; and
3. The operation of the social media plugin and third party cookies needs fully reflected in the privacy information notice and the cookie policy of the website and consent needs to be obtained to the transfer of data to the social media / third-party installing cookies to avoid the uncertainties of assessing the legitimate interest of Facebook or other social media on whose operations there is limited control.

I hope that this review of the case is useful. On the same topic, you may find interesting this article “Facebook fan page admin liable for its privacy compliance.”