Do you use one of the Facebook plugins, such as the ‘Like’ button, to anticipate your website visits? Then you might be a joint controller with Facebook. This follows from a recent judgment of the European Court of Justice (‘CJEU’) in the Fashion ID judgment (C-40/17).
The case was brought by a consumer association against a fashion retailer who used the Facebook 'like' button on its website.
The use of such a plugin creates a connection between the website using the plugin and Facebook. In this particular case, it also meant that the IP address and browser string of mere website visitors were automatically forwarded to Facebook. This happened regardless of whether the website visitor clicks on the like button, regardless of whether that person has given his or her consent and even regardless of whether he or she is logged on to Facebook. In addition, cookies (session, datr and fr cookies) were placed by Facebook Ireland on the visitor's device.
The CJEU provided important clarifications regarding this data collection practice in its judgment of 29 July 2019 (here).
Under the GDPR, a ‘controller’ decides on the purposes and means of the processing of personal data. The CJEU previously clarified that the controller is not necessarily limited to a single person. Even the administrator of a fan page on Facebook is jointly responsible with Facebook for processing visitors’ personal data (C-210/16). It is therefore not surprising that here as well the CJEU considers the website operator to be a joint controller.
In the case at hand, the CJEU seems to be concentrating mainly on two aspects:
The fact that the retailer has no influence on the use of the data by Facebook and did not even have access to the personal data in question, was irrelevant to the CJEU. In other words, the ruling indicates that the website operator and Facebook as the service provider of the plugin are likely to be regarded as joint controllers. This could also be applied to plugins similar to those of Facebook (i.e. any plugins that collect and/or transmit personal data).
The case also raises a number of questions. Under the GDPR, joint controllers must make an arrangement about who will execute which controller obligations and this needs to be transparent to the public. Given the amount of website operators using plugins, a huge number of website operators will have to make such an arrangement with Facebook or other service providers of plugins. For practical reasons, it is more likely that the latter will draw up such a standard arrangement. Just like after the Wirtschaftsakademie judgment (C-210/16) when a Joint Controller Addendum was drawn up by Facebook. Yet, there hasn’t been any official response from Facebook on the Fashion ID judgment.
This case also shows that two separate processing operations of personal data can be regarded as a ‘chain’ of processing operations linked to each other in case of data being transmitted from one controller to the other. But what are the consequences if these processing activities are no longer considered separately? Luckily, the CJEU clarified that the website operator is only responsible for the collection and transmission of data on its own website. The retailer in this case can therefore not be held responsible for the processing of personal data by Facebook.
The possible qualification as joint controllers entails a number of obligations and other consequences for websites using plugins:
In addition, and as explained, Article 26 GDPR imposes an obligation on joint controllers to make an arrangement. The breach of the controller's obligations under Article 26 of the regulation may lead to administrative pecuniary sanctions of up to EUR 10 million or, in the case of an undertaking, up to 2 % of its total worldwide annual turnover in the preceding business year. In other words, it is possible that the non-adoption of such an arrangement could lead to the imposition of a fine.
The abovementioned Fashion ID case decided on notions found in the European Data Protection Directive 95/46. Since the GDPR replaced that Directive and contains the same definitions and principles, this ruling can be applied equally to the provision written in the GDPR and more specifically in relation to the notion of ‘controller’.