Embedding “Like” Buttons on Your Online Platform: Are You a Data Controller?

Do you, like a large number of website operators and platforms, have a plugin which incorporates a Facebook ‘Like’ button on to your website?

If so, following on from a recent European Court decision, you may be a joint controller of data under the GDPR, which will charge you with serious data protection responsibilities. 

What is a Data Controller?

Under the General Data Protection Regulation (EU/2016/679), a data controller determines why and how personal data must be collected and processed (Article 4(7)), while a data processor simply processes personal data on behalf of the controller (Article 4(8)), often a third-party company. 

A data controller must implement appropriate technical and organisational measures ensuring and demonstrating that any data processing is being performed in accordance with the GDPR (Article 24). They are tasked with determining the specific purpose of their data processing activities and ensuring that only personal data required for this purpose is processed (Article 25). 

Data controllers are strictly responsible for the amount of personal data collected, the extent of processing carried out, the period of storage and the accessibility of the data (Article 25). Where there are two (or more!) controllers jointly determining the purposes of data processing, they are joint controllers together and share these responsibilities (Article 26). 

Facebook ‘Like’ Buttons on Websites

More than two billion people use Facebook every month- more than a third of the world’s population. Embedding a Facebook “Like” button on a website can bridge between social followers and digital feeds. These buttons can be incredibly effective at increasing the reach of products, such as fashion items, across social media. However, it now seems that they can also burden websites with heavy responsibilities.

The European Court of Justice has recently delivered a judgement that by incorporating a “Like” button, website providers could be deemed to be a controller jointly with Facebook in respect of the collection of personal data. 

In Fashion ID GmbH & Co. v Verbraucherzentrale NRW eV, the judgement came down on a German online clothing retailer called Fashion ID which had embedded a Facebook “Like” button on its website. A German consumer protection regulation called Verbraucherzentrale NRWhad begun legal proceedings against the online clothing retailer in 2015 when it claimed that the Like button constituted a data protection breach.

The German consumer protection board pointed out that when a user visited Fashion ID’s website their data was being transmitted to Facebook Ireland regardless of whether they clicked on the button or even if they were a member of Facebook. Visitors had not consented to this transmission of data- in fact, they did not even know it was occurring!

The consumer protection body took the case to court, arguing that Fashion ID was wrong to transmit the persona data of its customers to Facebook without obtaining their consent and that it was in breach of its duties to inform customers of processing, as set out in the provisions relating to the protection of personal data. 

The European Court’s Decision

The case was referred to the Court of Justice by the Higher Regional Court in Düsseldorf.

While the Court had originally been asked to interpret the former Data Protection Directive of 1995, its judgement set out that the circumstances now also applied to the GDPR, which has superseded the Directive.

The Court firstly decided that Fashion ID could not be considered to be a controller of data with regards to the operations carried out by Facebook Ireland after that data has been transmitted away from the site. It accepted that, once the data had been transmitted to Facebook, the online clothing retailer had no control over the purposes and means of data processing which was carried out. 

However, the Court held that the fashion retailer is a controller jointly with Facebook in respect of the operations involving the collection and disclosure of data which was then transmitted to Facebook Ireland. Here, the Court felt that Facebook Ireland and Fashion ID jointly determined the means and purposes of these operations. 

This decision is a preliminary ruling in accordance with the procedure before the Court, and the Court of Justice of the European Union does not decide the dispute itself. The case will be referred back to the national court in Germany which will decide the outcome of this case ultimately. However, the national court must apply the law to the facts as set out in the European Court’s decision, which is now binding on it and any other national courts hearing similar issues. 

What Responsibilities Does This Create?

The Court has warned of the responsibilities that being a joint controller could bring to website providers such as fashion retail platforms. If processing operations will be carried out due to plug-ins such as “Like” buttons, websites must provide clear information of this to visitors at the time of the collection. This includes the identity of all the controllers and the purposes of the processing. 

Website operators such as online fashion retailers must obtain prior consent with respect to the operations that are to be carried out for which they are a joint controller. Users must be aware, and clearly consent, if their data is to be collected and transmitted. 

The GDPR does allow for processing to be carried out where it is in the controllers’ legitimate interests to do so (Article 6(1)(f)). However, the Court has warned that in these instances it is not sufficient for only one of the controllers to be pursuing a legitimate interest- both controllers must be pursuing a legitimate interest through the collection and transmission of personal data in order for their operations to be justified, whilst ensuring the utmost protection of the rights and freedoms of data subjects.  

If you are a website owner using Facebook plug-ins or think that you might be a joint controller under the GDPR and would like further information, please don’t hesitate to get in contact

Article by Lily Morrison @ Gerrish Legal, August 2019

Previous
Previous

GDPR - Can Biometric Data Processing be Lawful?

Next
Next

Part 2: A Guide to Multi-Controller Situations - Reduce the Risks!