On 29 July 2019, the Court of Justice of the European Union ("CJEU") rendered its judgment in the "Fashion ID" case (C-40/17). The judgment adopts a wide interpretation of the controllership concept regarding the processing of personal data, in particular via the use of social media tools, and should be read in conjunction with previous decisions taken by the CJEU retaining similar outcomes.
In the "Fashion ID" case, the CJEU held that, under EU data protection legislation, the operator of a website featuring a Facebook "Like" button (i.e. a plugin that entails the transmission of personal data to Facebook) can be seen as acting as controller, jointly with Facebook. In consequence, that website operator is responsible for complying with the legal obligations under this context, and in particular for informing its website visitors that their personal data may be transmitted to Facebook.
Indeed, any such "plugin" button permits the transmission of personal data (such as an IP address) to Facebook, while such data processing occurs even though the visitor does not have a Facebook account.
In the case at hand, a German consumer protection association brought a lawsuit against the aforementioned website operator for infringement of the data protection legislation, in particular due to the lack of information provided to the visitors and also the failure to obtain their consent (as based on Directive 2002/58/EC on privacy and electronic communications).
A German Regional Court therefore requested a preliminary ruling of the CJEU asking it to provide its interpretation of the European data protection legislation. The case was discussed under the framework of the former Directive 95/46/EC, as repealed on 25 May 2018 by the EU General Data Protection Regulation 2016/679 ("GDPR"). However, the reasoning held by the CJEU would most likely apply in the context of the GDPR-era as the legal concepts and principles established under the GDPR mainly derive from its "legal ancestor" which is Directive 95/46/EC.
The CJEU held the position that by embedding a social media "plugin" on its website, the website operator rendered the possibility for Facebook to receive personal data from its visitors and was hence to be considered as acting as controller jointly with Facebook for such a processing operation; but that the website operator should not be seen as acting as (joint) controller with regard to the subsequent processing operations that Facebook may carry out after having received the personal data, as it is impossible for the website operator to determine the purposes and means of these processing activities which are solely established under the control of the social-media editor.
Therefore, for the portion of the processing operations for which the website operator acts as a controller, that operator shall inform the visitors (i.e. data subjects) of the processing operations affecting their personal data via the use of the social-media "plugin" and shall obtain their consent in this respect if such processing enables the website operator to have access to personal information stored in the data subjects' terminal equipment by way of cookies deposit or similar technologies.
The outcome of this "Fashion ID" case is not particularly surprising as the CJEU held previous positions relying on quite similar reasoning.
Indeed, with regard to the use of social-media tools, the Court ruled on 5 June 20181 that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of the personal data of visitors to the page, as according to the Court, such an administrator takes part, by its definition of the parameters, in the determination of the purposes and means of the processing, as any Facebook page administrator can obtain anonymous statistical data on visitors via a function called "Facebook Insights" which collects personal data via the deposit of cookies.
According to both the above CJEU rulings, the fact that a website operator or web page administrator does not have access to the personal data collected and transmitted to the social-media editor does not affect its capacity as (joint) controller as long as that party has a role in determining the purposes and means of the processing.
This position is in fact consistent with previous CJEU ruling2 stating that the joint responsibility of several players for the same processing does not require each of them to have access to the personal data concerned. In that particular case, the CJEU stated that a natural or legal person who exerts influence over the processing of personal data, for his own purposes, and who participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller of the processing of personal data (even without having access to the personal data in question).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.