By decision C‑40/17 of July 29, 2019, Fashion ID vs. German Supervisory Authority, the European Court of Justice ruled that:
– The operator of a website, such as Fashion ID, that embeds on its website a social plugin (i.e. Facebook “Like” button) can be considered a controller.
– Its liability is, however, limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, (i.e. the collection and disclosure by transmission of the visitor’s data to Facebook).
– In such circumstances, it is for the operator of the website, rather than for the provider of the social plugin, to obtain any necessary consent and provide the information notice, since it is the fact that the visitor consults that website that triggers the processing of the personal data.
– However, the consent to be given to the website’s operator relates only to the operation or set of operations involving the processing of personal data in respect of which the operator actually determines the purposes and means.
The website’s operator is a joint-controller
– The operator of a website is a joint-controller of the data processing triggered by the use of any social media plugin such as the Facebook “Like” button it embeds on its website.
– The Court considered that the website operator was involved in the determination of the purposes and means of processing triggered by the social media plugin (i.e. optimising the publicity of its goods by making them more visible on Facebook).
– This is not necessary for the website’s operator to access the personal data at issue to be considered joint-controller.
– This position is in line with a previous case relating to the statistic cookies dropped by Facebook on a facebook fan page. The administrator of the Facebook fan page was considered joint-controller as it benefited from the processing carried out by Facebook (see here for more details about this case).
Its liability is limited to the set of processing operations it carries out but it remains in charge of providing a privacy notice and obtaining any necessary consent
– As a joint controller, the webiste’s operator is only responsible for the set of processing operations it carries out for the purpose of optimising the publicity of its goods on Facebook (i.e. collection and disclosure by transmission) and may not be responsible for any further/additional use of the data by Facebook.
– As a consequence and given that the data is collected and transmitted by the website operator, it is only responsible for providing the information notice and obtaining any necessary consent for these purposes only.
The ECJ has provided a glimpse of the way each joint controller’s responsibilities will be allocated by the judges
– Surprisingly, the Court seems to distinguish processing operations from purposes of processing so that to limit the liability of the website’s operator to the processing operations under its actual control. Indeed, the Court does not extend its liability to any further operations carried out by Facebook to achieve the purposes of optimising the publicity of the website operator’s goods by making them more visible on Facebook.
– Each controller’s GDPR obligations (e.g. provision of notice etc.) is determined on a case by case basis depending on which of the parties is better suited to meet such requirements.
To read the full decision please click here