August 5, 2019

The defendant, Fashion ID GmbH & Co KG, is a German online retailer of fashion clothing. It embedded Facebook’s “Like” button as a plugin on its website. As a result, when a user landed on Fashion ID’s website, his/her personal data in the form of his/her IP address and browser history was transferred to Facebook Ireland. This occurred automatically when Fashion ID’s website had loaded, irrespective of whether the user had clicked on the Like button and whether or not they had a Facebook account.

Verbraucherzentrale NRW eV, a German consumer rights association, issued proceedings in the German courts against Fashion ID for transmitting personal data without consent and in breach of obligations to inform, as required by data protection legislation.

The German court referred six questions to the CJEU regarding the interpretation of various provisions of the Data Protection Directive (95/46/EC) (which was the applicable law at the time).

The core question was whether Fashion ID was a “controller” in respect of the data processing taking place, and if so, how exactly should the individual obligations under the Directive be met. Whose legitimate interests should be considered under the balancing exercise required by Article 7(f), and did Fashion ID have a duty to inform data subjects about the processing? Finally, should Fashion ID obtain informed consent of data subjects?

The CJEU found that:

• once the data had been transferred to Facebook Ireland, Fashion ID was not a controller in relation to the processing carried out by Facebook Ireland, as Fashion ID could not determine the purposes and means of that processing;
• however, Fashion ID was a joint controller with Facebook Ireland in relation to the collection and disclosure of the data when it transmitted it to Facebook Ireland, since at that stage both Fashion ID and Facebook Ireland jointly determined the means and purposes of processing;
• by embedding a Facebook “Like” button on its website, when a visitor clicked on that button, Fashion ID increased publicity for its goods by displaying them on Facebook as well as on its own website. Therefore, Fashion ID was processing personal data (by collecting and transmitting it to Facebook Ireland) in order to benefit from a commercial advantage. The processing was being performed in the economic interests of both Fashion ID and Facebook Ireland, for whom the fact that it could use that data for its own commercial purposes constituted consideration for the benefit to Fashion ID;
• any joint controller collecting and transmitting data must provide, at the time of collection, certain information to visitors, such as, for example, its identity and the purposes of processing;
• where a data subject has given his or her consent, the operator of a website such as Fashion ID must obtain that prior consent (solely) in respect of operations for which it is the (joint) controller, namely the collection and transmission of the data; and
• where the processing of data is necessary for the purposes of a legitimate interest, each of the (joint) controllers, i.e. the operator of the website and the provider of a social plugin, must pursue its own legitimate interest through the collection and transmission of personal data in order for those operations to be justified in respect of each of them.

(Case C-40/17 Fashion ID GmbH & Co KG v Verbraucherzentrale NRW eV EU:C:2019:629 (29 July 2019) — to access the judgment in full, go to the curia search form, type in the case number and follow the link).