Insights Advocate General Bobek opines that the operator of a website embedding a third party plugin, such as the Facebook Like button, is jointly responsible for that stage of the data processing

The defendant, Fashion ID GmbH & Co KG, was a German online retailer selling fashion items. It embedded Facebook’s “Like” button as a plugin on its website. As a result, when a user landed on Fashion ID’s website, information about that user’s IP address and browser string was transferred to Facebook. That transfer occurred automatically when Fashion ID’s website had loaded, irrespective of whether the user had clicked on the Like button and whether or not they had a Facebook account.

Verbraucherzentrale NRW eV, a German consumer rights association, issued legal proceedings for an injunction against Fashion ID on the ground that the use of the Facebook Like button was a breach of data protection legislation.

The German court referred six questions to the Court of Justice of the European Union regarding the interpretation of various provisions of the Data Protection Directive (95/46/EC) (which was the applicable law).

The core question was whether Fashion ID was a “controller” in respect of the data processing taking place, and if so, how exactly should the individual obligations under the Directive be met. Whose legitimate interests should be considered under the balancing exercise required by Article 7(f) and did Fashion ID have a duty to inform data subjects about the processing? Finally, should Fashion ID obtain informed consent of data subjects?

The Advocate General opined that under the Directive, the operator of a website (such as Fashion ID) who has embedded in its website a third-party plugin (such as the Facebook Like button), which causes the collection and transmission of a user’s personal data, is a joint controller together with the third party (here Facebook Ireland).

However, that controller’s (joint) responsibility should be limited to those operations for which it effectively co-decides on the means and purposes of the processing of the personal data. In other words, a joint controller is responsible for the operation or set of operations in which it shares or co-determines the purposes and means of the processing operation, but cannot not be liable for the previous and subsequent stages of the overall chain of processing, as it is not in a position to determine either the purposes or means of that processing.

Here, it appeared that Fashion ID and Facebook Ireland co-decided on the means and purposes of the data processing at the stage of collection and transmission of the personal data in question. Subject to the referring court’s verification, both Facebook Ireland and Fashion ID appeared to have voluntarily caused the collection and transmission of data and, although it was not identical, there was unity of purpose, i.e. a commercial and advertising purpose (Fashion ID’s decision to embed the Facebook Like button on its website was inspired by the wish to increase visibility of its products via the social network). Therefore, with respect to the collection and transmission stage of the data processing, Fashion ID acted as a controller and its liability was, to that extent, joint with that of Facebook Ireland.

As for the legitimacy of the processing of personal data in the absence of the website user’s consent, the Advocate General noted that such processing is lawful under the Directive if three cumulative conditions are fulfilled: i) the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed; ii) the need to process personal data for the purposes of the legitimate interests pursued; and iii) that the fundamental rights and freedoms of the person concerned by the data protection do not take precedence [Wiggin note: this last is a rather misleading phrase originally from case C-13/16 which should perhaps have better been expressed by the Court as ‘that the fundamental rights and freedoms of the data subject do not override the legitimate interest’].

In this respect, the Advocate General opined that the legitimate interests of both joint controllers have to be taken into account and balanced against the rights of the users of the website.

The Advocate General also said that Fashion ID had to obtain consent from the website user, where required. Likewise it was obliged to provide the website user with the required minimum information. (Case C-40/17 Fashion ID GmbH & Co KG v Verbraucherzentrale NRW eV (Advocate General Opinion) (19 December 2018) — to access the Opinion in full, go to the curia search form, type in the case number and follow the link).

Expertise