ECJ Rules Companies Using Social Plugins Are Joint Controllers
The Situation: Fashion ID, a German online clothing retailer, embedded on its website the Facebook "Like" button. When a user consults the website of Fashion ID, that user's personal data are transmitted to Facebook Ireland. The transmission occurs regardless of whether the user is a Facebook member or has clicked on the "Like" button.
The Result: On July 29, 2019, the European Court of Justice ("ECJ") ruled (Case C 40/17), following the Opinion of the Advocate General Bobek of December 2018, that Fashion ID and Facebook Ireland are joint controllers with regard to the operations involving the collection and disclosure by transmission to Facebook Ireland. However, Facebook Ireland is the sole controller regarding its processing after such transmission.
Looking Ahead: Besides updating their privacy policies, website operators that use social plugins, such as the Facebook "Like" button, will be required to ensure a legal basis for processing (this will regularly require obtaining consent from users, for example, via a cookie consent tool) and providing appropriate notice to users prior to collecting and transmitting personal data to the social media provider offering the plugin. Additionally, website operators and social media providers will be required to enter into a joint-controller agreement.
Key Facts of the Decisions
- Consumer-protection associations may be granted the right to bring or defend legal proceedings for an infringement of data protection law under EU Member State law as now foreseen in Art. 82 (2) of the General Data Protection Regulation ("GDPR").
- A website operator embedding a third party plugin on its website, which causes the collection and transmission of the users' personal data to the plugin service provider, is considered a controller of that data.
- Embedding the plugin enables the processing of the user's personal data by the plugin service provider. Therefore, the website operator determines the purposes and means of the collection and transmission of the user's personal data jointly with the plugin service provider.
- Users must be informed about the processing of their data at the time of collection, and processing must be based on a legal justification (i.e., prior consent). However, the responsibility of the website operator, including its information obligation and its obligation to ensure a legal basis for the processing, is limited to those processing operations for which the website operator effectively codecides on the means and purposes of the processing of the personal data. In the case at hand (and in many parallel cases), this is limited to the collection and disclosure by transmission of the user's personal data to the plugin service provider.
- Where the processing of personal data does not require the consent of the user, but can be based on legitimate interest, both the website operator as well as the plugin service provider (as joint controllers) have to pursue a legitimate interest, which has to be balanced against the rights and freedoms of the user.
- Website operators and social plugin service providers are considered joint controllers for the collection and disclosure by transmission of personal data through the embedded social plugin.
- The responsibility of website operators is limited to those processing operations for which the website operator effectively codecides on the means and purposes of the processing of the personal data. This will regularly concern the collection and disclosure by transmission of the personal data through the social plugin.
- Website operators (in respect of operations for which they are (joint) controllers) will have to ensure that by updating their privacy policies, users are provided with appropriate notice.
- The processing is based on a legal justification under the GDPR, in many cases the consent of the user (which will practically require the inclusion of the plugin into the website cookie consent tool).
- A joint controller agreement is entered into with the social plugin service provider to address responsibility for compliance and in particular liability issues.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.