On July 29, 2019, the European Court of Justice (the “ECJ”) decided that website operators are joint controllers, and thus jointly liable, with plug-in providers when embedding their social media buttons (or other plug-ins) that collect and transmit personal data. The ECJ also decided that the website operator, rather than the plug-in provider, is responsible for obtaining consent and providing notice for such plug-in’s data collection and transmission.
The case at hand, Fashion ID, was decided under the EU Data Protection Directive (the “Directive”). However, the decision will continue to have effect under the General Data Protection Regulation (the “GDPR”), since the definitions and concepts it considers remain applicable.
Finally, while the decision pertained specifically to use of social media plug-ins, it can easily apply to website operators that embed other advertising technologies (e.g., cookies, pixel tags, or mobile SDKs) and the providers of such technologies.
Fashion ID embedded the Facebook ‘Like’ button onto its website. When end-users visited the website, the ‘Like’ button would collect and transmit their personal data to Facebook Ireland, even if they (a) were not Facebook members and (b) did not click the button.
A German public-service association brought legal proceedings against Fashion ID for not obtaining prior consent or providing appropriate notice for the data collection and transmission carried out through the ‘Like’ button.
The Dusseldorf Higher Regional Court (the “Referring Court”) asked the ECJ to make a preliminary ruling on whether (a) a website operator was a controller when embedding a third-party plug-in that collected and transmitted personal data and (b) if yes, what obligations the website operator had regarding establishing a legal basis and providing notice to the end-user in relation to use of such plug-in.
Website Operators and Plug-in Providers are Joint Controllers (For Certain Operations)
The ECJ clarified the test for determining whether an organization is a controller (including joint controller).
The ECJ reiterated that “processing activities” are comprised of discrete operations performed upon personal data (e.g., collection, transmission, recording, storage). As such, an organization is a controller for only the discrete operations where it determines the “purpose and means,” either alone or jointly with other.
In this particular instance, the ECJ determined that Fashion ID and Facebook Ireland were joint controllers for two operations: (1) the collection of personal data and (2) the transmission of personal data to Facebook Ireland, in each case, through the Facebook ‘Like’ button.
- The “purpose” of processing
The ECJ stated that Fashion ID embedded the ‘Like’ button “…in order to benefit from the commercial advantage…” of having its products more visible on Facebook when a user clicks on the button.
Likewise, for Facebook Ireland, the consideration for the added publicity for Fashion ID products is Facebook Ireland’s ability to use the data derived from the button for its “own commercial purposes.”
- The “means” of processing
The ECJ stated that Fashion ID exerted a “decisive influence” over the collection and transmission of personal data to Facebook Ireland by deciding to embed the ‘Like’ button in the first place.
Likewise, Facebook Ireland determined what specific personal data was collected and transmitted to Facebook Ireland through the ‘Like’ button.
“Legitimate Interest” May Be Allowed (But Watch Out for the ePrivacy Directive)
The ECJ held that each joint controller must have a valid legitimate interest if they wish to rely on this legal basis for data collection and transmission through the plug-in.
The ECJ left it to the Referring Court to confirm whether Article 5(3) of the ePrivacy Directive applied in this case, which would require consent for the use of technologies that store information, or “gain access” to information stored, on end-user devices.
Website Operators Must Obtain Consent and Provide Notice
The ECJ stated that, where the joint controllers are relying on consent as their legal basis, they must obtain such consent prior to any data collection or transmission through the plug-in. As such, the ECJ determined that, “…it is for the operator of the website, rather than the provider of the social plugin, to obtain that consent” since the processing operations are triggered when the end-user visits the website.
The ECJ also stated that the website operator is responsible for providing notice of the plug-in’s operations, since notice must be provided at the time of data collection.
However, the website operator does not need to obtain consent or provide notice for any other operations where it is not a controller (such as subsequent processing carried out by the plug-in provider).
Takeaway Action Items
Though this case concerned a social media plug-in, the ruling can easily apply when website operators use other advertising technologies (e.g., cookies, pixel tags, mobile SDKs) that collect and transmit personal data.
As such, website operators and their advertising technology providers (“AdTech Providers”) in particular may need to take certain steps to ensure that processing is in line with Fashion ID.
As a website operator, it is imperative to:
- Understand what advertising technologies are embedded onto your website/mobile app and how they are used.
- In particular, determine (a) what advertising technologies are embedded onto your website or mobile app, (b) which AdTech Providers supplied them, and (c) whether such technologies collect and transmit personal data to such AdTech Providers (or others).
Where joint controllership exists, both website operators and AdTech Providers must:
- Revise their contracts
- As applicable, GDPR Article 26 requires that organizations revise their contractual agreements to reflect the scope of joint controllership and respective responsibilities.
- Update privacy notices
- Article 26 also requires that the essence of the arrangement of responsibilities between joint controllers is made available to the relevant end-users.
- Based on Fashion ID, the website operator is typically in the best position to provide these, and other, details as part of appropriate “notice” of these joint processing operations.
- Have a valid legal basis for joint processing operations
- Based on Fashion ID, website operators are typically in the best position to obtain consent for use of advertising technologies on its site.
- Where relying on legitimate interest instead, both parties should (a) establish a legitimate interest and (b) carry out and document the required “balancing test” in case of regulatory inquiry. Remember that the ePrivacy Directive may not allow reliance on legitimate interest in certain cases!
Finally, since AdTech Providers do not have a direct relationship with end-users, they need to consider working with website operators to obtain appropriate consent (or to establish another legal basis) on the AdTech Providers’ behalf for operations subsequent to those in which they are joint controllers.