In the Fashion ID case (C-40/17) , the Court of Justice of the European Union (CJEU) found that the operator of a website that features a plug-in (such as a Facebook ‘Like’ button), can be considered a joint controller with the plug-in provider, in respect of the collection and transmission to that plug-in provider of the personal data of visitors to its website. However the website operator will not be a joint controller or liable for any subsequent processing of the personal data by the plug-in provider.
The CJEU also held that the website operator is responsible for obtaining consent from website visitors for the collection and transmission of their personal data and providing notice to visitors about the use and disclosure of their personal data.
Although the case was decided under the the Data Protection Directive 95/46/EC (the Directive), it will continue to be relevant under the GDPR, since the relevant definitions and obligations continue to apply under the new regime. The decision will have an impact not only on website operators that embed social plug-ins, but to any website operator that uses cookies to collect and transmit personal data of their visitors to third parties, such as AdTech providers.
Background
Fashion ID, an online fashion retailer, embedded a Facebook ‘Like’ social plug-in on its website. When a user visited Fashion ID’s website, information about that user’s IP address and browser string was transmitted to Facebook. That transmission occurred without the visitors being aware of it, and regardless of whether or not he/she was a member of Facebook or whether he/she clicked on the ‘Like’ button. A German Consumer Association criticised Fashion ID for transmitting to Facebook the personal data of visitors without their consent, and in breach of their information obligation to visitors regarding the use and disclosure of their data under the Directive.
Decision
The CJEU held that the operator of a website that embeds a social plug-in on its website, causing the browser of a visitor to the website to request content from the plug-in provider and, to that end, to transmit to that provider personal data of the visitor, can be considered to be a controller, jointly with the plug-in provider.
The CJEU noted that it is apparent from previous EU case-law (including Cases C‑210/16, and C‑25/17), that the fact that the operator of a website, such as Fashion ID, does not itself have access to the personal data collected and transmitted to the social plug-in provider with which it determines jointly the means and purposes of the processing of personal data, does not preclude it from being a controller.
Legitimate Interest
In the present case, as the referring court concluded that the data transmitted to Facebook was personal data, which was not necessarily limited to information stored in the terminal equipment of the user, the CJEU considered it necessary to examine the applicable legal basis for processing the personal data under the Directive.
If the controllers wished to rely on the legitimate interests legal basis, the CJEU held that it was necessary that both the operator and the provider each pursue a legitimate interest, in order for the processing operations to be justified.
The CJEU stated that it is for the referring court to investigate whether, in a situation such as that in the main proceedings, the provider of a social plug-in, gains access from the website operator to information stored in the terminal equipment of a website visitor, which would require the visitor’s consent under Article 5(3) of the e-Privacy Directive.
Consent
The CJEU further considered that where joint controllers are relying on consent as their legal basis, such consent must be obtained prior to the collection and transmission of the user’s personal data. It is the responsibility of the website operator, rather than for the provider of the social plugin, to obtain that consent since the processing of the personal data is triggered by the visitor consulting the website. However, the consent that must be given to the website operator relates only to the processing operations of which the operator actually determines the purposes and means, and not for any subsequent processing carried out by the plug-in provider.
Duty to inform
The CJEU similarly held that the duty to inform visitors about the use and disclosure of their data rests with the website operator, as such notice must be given at the time the personal data are collected. Again, the information to be provided need only relate to the processing operations in respect of which the website operator actually determines the purposes and means, and not for any subsequent processing carried out by the plug-in provider.
Comment
The decision confirms that website operators can be considered to be joint controllers and jointly liable with social plug-in providers (or other third parties such as AdTech providers), where operators embed technologies in their websites to collect and transmit personal data of visitors to those third parties. It serves as a reminder that such data processing must be transparent to data subjects and meet a lawful processing ground.
Article 26 of the GDPR imposes further obligations on joint controllers. It expressly requires joint controllers to enter into an “arrangement” determining their respective responsibilities for compliance with their obligations under the GDPR, in particular in regard to their duties to provide data subjects with the transparency information prescribed by Articles 13 and 14 of the GDPR, and handling requests from data subjects exercising their rights under the GDPR. This may be done by means of a data sharing contract.
To ensure compliance with Article 26, joint controllers should review their contractual arrangements to ensure they clearly set out the scope of their respective responsibilities. The essence of the arrangement between joint controllers must be made available to data subjects. In practice, this information can be provided to data subjects via the controllers’ privacy policies/notices.
The present case indicates that the website operator, rather than the third party to whom personal data is transmitted, is the most appropriate party to obtain consent of website visitors (where necessary) and to provide the transparency information, to the extent that such information should be provided at the time the personal data is collected. Insofar as the website operator does not have access to the personal data collected and transmitted to the relevant third party, that party may potentially be designated as being responsible for dealing with requests from data subjects. However, irrespective of the terms of the arrangement, the data subject is legally entitled to exercise his or her rights under the GDPR against any of the joint controllers.