On December 19, 2018, Advocate General Bobek, published his opinion in case C-40/17, deeming that anyone who enters the Facebook “Like” button on his website can be considered a joint controller.
In this case, a German fashion online retailer embedded a Facebook’s ‘Like’ button in its website. As a result, when users landed on the retailer’s website, information about that user’s IP address and browser string was transferred to Facebook. The transfer occurred automatically when the retailer’s website loaded, irrespective of whether the user clicked on the ‘Like’ button and whether or not she had a Facebook account.
A German consumer protection association sought an injunction against the retailer on the ground that the use of that plug-in resulted in a breach of data protection legislation.
The Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf, Germany) initiated a preliminary ruling before the Court of Justice of the European Union (CJEU), seeking the interpretation of several data protection provisions contained in Directive 95/46/EC, which has now been replaced by the General Data Protection Regulation (GDPR).
In particular, the German Court enquired whether Directive 95/46/EC “allows national legislation to grant standing to a consumer association to bring a claim such as the one in this case.” Turning to the substance, the core question posed by the German court is whether the retailer must be classified as a ‘controller’ with regard to this data processing and be subjected to the related obligations.
Advocate General Bobek concludes that “Directive 95/46 does not preclude national legislation which grants public-service associations standing to commence legal proceedings against the alleged infringer of data protection legislation in order to safeguard the interests of consumers.” This right is now expressly granted under Article 80.2, GDPR.
Going forward, Advocate General Bobek, states that “a person, such as the Defendant, that has embedded a third-party plug-in in its website, which causes the collection and transmission of the user’s personal data (that third party having provided the plug-in), shall be considered to be a controller within the meaning of Article 2(d) of Directive 95/46. However, that controller’s (joint) responsibility is limited to those operations for which it effectively co-decides on the means and purposes of the processing of the personal data.”
Consequently, the website operator which has embedded the content of a third party must inform the data subject of the data processing and gather her informed consent, before the data are collected and transferred. “However, the extent of those obligations shall correspond with that operator’s joint responsibility for the collection and transmission of the personal data.”
This is in line with Article 26(1), GDPR, which allows joint controllers to “determine their respective responsibilities for compliance with the obligations.”
More on case c-40/17, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW is available at http://curia.europa.eu….
Advocate General Bobek’s opinion is available at http://curia.europa.eu…
More on GDPR is available at http://www.technethics.com…
Originally published on Technethics on February 2019