A website has data responsibility for Facebook 'like' button: EU Court

(LUXEMBOURG) - A website's use of Facebook's 'Like' button, which processes users' personal data, makes the website jointly responsible for that stage of the data processing, says the EU top Court's Advocate General.

This means, in the Opinion of Advocate General Bobek, that the operator of the website has to provide, with regard to data processing operations, the users with the required minimum information and obtain, where required, their consent before data are collected and transferred.

The case concerned Fashion ID, a German online fashion retailer, who embedded a plugin on its website: Facebook's 'Like' button. As a result, when a user lands on Fashion ID's website, information about that user's IP address and browser string is transferred to Facebook. That transfer occurs automatically when Fashion ID's website has loaded, irrespective of whether the user has clicked on the Like button and whether or not he has a Facebook account.

The case was brought by Verbraucherzentrale NRW, a German consumer group on the ground that the use of the Facebook Like button results in a breach of data protection legislation.

In his opinion, Advocate General Michal Bobek proposes to the Court of Justice to rule, first, that the directive does not preclude national legislation which grants public-service associations standing to commence legal proceedings against the alleged infringer of data protection legislation in order to safeguard the interests of consumers.

The Advocate General then proposes to rule that under the Data-Protection-Directive the operator of a website (such as Fashion ID) who has embedded on its website a third-party plugin (such as the Facebook Like button), which causes the collection and transmission of the user's personal data, shall be considered to be a joint controller, along with such third party (here Facebook Ireland).

However, that controller's (joint) responsibility should be limited to those operations for which it effectively co-decides on the means and purposes of the processing of the personal data.

That means that a (joint) controller is responsible for that operation or set of operations for which it shares or co-determines the purposes and means as far as a given processing operation is concerned. By contrast, that person cannot be held liable for either the previous and later stages of the overall chain of processing, for which it was not in a position to determine either the purposes or means.

On the facts in the present case, it thus appears that Fashion ID and Facebook Ireland co-decide on the means and purposes of the data processing at the stage of the collection and transmission of the personal data at issue. Subject to the referring court's verification, both Facebook Ireland and Fashion ID appear to have voluntarily caused the collection and transmission stage of the data processing and albeit not identical, there is unity of purpose: there is a commercial and advertising purpose (Fashion ID's decision to embed the Facebook Like button on its website appears to be inspired by the wish to increase visibility of its products via the social network).

Therefore, with respect to the collection and transmission stage of the data processing, Fashion ID acts as a controller and its liability is, to that extent, joint with that of Facebook Ireland.

As regards the legitimacy of the processing of personal data in the absence of the website user's consent, the Advocate General recalls that such processing is lawful under the directive in particular if three cumulative conditions are fulfilled: first, the pursuit of a legitimate interest by the data controller or by the third party or parties to whom the data are disclosed; second, the need to process personal data for the purposes of the legitimate interests pursued; and third, that the fundamental rights and freedoms of the person concerned by the data protection do not take precedence.

In this respect, the Advocate General proposes to the Court to rule that the legitimate interests of both joint controllers at issue (Fashion ID and Facebook Ireland) have to be taken into account and balanced against the rights of the users of the website.

The Advocate General also proposes to rule that the consent of the website user, where required, has to be given to the operator of the website (Fashion ID) that has embedded the content of a third party. Likewise the obligation to provide the website user with the required minimum information applies to the operator of the website (Fashion ID).

The Judges of the Court now begin their deliberations in the case. While the Advocate General's Opinion is not binding on the Court of Justice, it is rare for the full Court to diverge from the Advocate General's Opinion. Judgment will be given at a later date.

Advocate General's Opinion in Case C-40/17 - Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV