Less ‘Like’​ and More ‘​In a Relationship’​ — CJEU on Joint Controllership in Social Plug-ins

July 29, 2019Alerts

A Facebook "like" is actually more like "in a [Joint Controller] relationship" status, says the Court of Justice of the EU in its long-awaited Fashion ID decision.

At issue: The legal framework surrounding embedding a Facebook "Like" button on your website.

When a user visits a website on which a Facebook "like" button is installed, their personal data is transmitted to Facebook Ireland.

This includes:

  • the IP address of the visitor's computer
  • technical data of the browser (so that the server can determine the format in which the content is delivered to this address)
  • information about the desired content

The operator of the website is not able to determine the data that the browser transmits or what Facebook does with this data, especially if it decides to store and use it.

The transfer of information happens:

  • whether or not the individual is a member of the social network Facebook
  • whether or not the person has clicked on the "like" button
  • in many cases, without the individual being aware that the information is being collected or transmitted to Facebook

Key Takeaways

A website operator and Facebook can be joint controllers for the data collected via the website on which the button is installed:

  • The operator of a website that features a Facebook "like" button can be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website. However, the responsibility is limited to the operation or the set of personal data processing operations for which it actually determines the purposes and means, namely the collection and communication by transmission of the data in question.

Jointly determine the means of processing:

  • This is because by setting such a social module on its website, the website operator has a decisive influence on the collection and transmission of the personal data of visitors to that site for the benefit of Facebook Ireland which, in the absence of insertion of said module, would not take place. Therefore, the website operator may be said to jointly determine the means at the origin of the collection and communication operations by transmitting the personal data of visitors to the website.

Jointly determine the purposes of processing:

  • When you embed a Facebook "like" button on your website, it allows you to optimize the publicity for your products or services by making them more visible on the Facebook social network. This is a commercial advantage for the website operators. Facebook, in turn, can use the data for its own commercial purposes (and this is the consideration for the benefit to the website operator). Therefore, it may be said that the website operator and Facebook Ireland jointly determine the purposes of the collection and communication operations by transmitting the personal data.

The fact that a website operator does not its have access to the personal data collected, and forwarded it to the provider of the social module with which it jointly determines the means and the purposes of the processing of personal data does not preclude it from presenting the quality of controller.

The responsibility of a website operator with regard to the processing of the personal data of individuals who do not have Facebook accounts appears even more important, since the mere consultation of such a site, including Facebook's "Like" button seems to trigger the processing of their personal data by Facebook Ireland.

Disclosure requirements

  • As a joint controller, the website operator must, at the time of the collection of the data, provide the required disclosures to the user such as its identity and the purposes of the processing.

Legal basis

  • Where a website operator relies on the user's consent to process the "like" button information, it is the one that is responsible for procuring the consent. The consent must be acquired prior to the collection and communication by transmission of the data of the data subject. However, the consent is required (solely) in respect of operations for which it is the (joint) controller, namely the collection and transmission of the data.
  • Where a website operator wishes to rely on its legitimate interest as the legal basis for the processing of data, each of the (joint) controllers, namely the operator of a website and the provider of a social plugin, must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in that regard.

Only Facebook Is controller after the data has been transmitted to Facebook

  • The website operator is not, in principle, a controller in respect of the subsequent processing of the data carried out by Facebook alone.
  • This is because the website operator cannot determine the purposes and means of the subsequent personal data processing operations carried out by Facebook after transmission to it.

Read the EU Press Release:

Read the CJEU's full decision (available in French and German)

Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance with the full range of GDPR compliance issues contact Odia at [email protected] or 215.444.7313.

Further Reading:

EDPB Opinion Provides Guidance on Controller-Processor Agreements Under GDPR

French Privacy Regulator Releases Long-Awaited Rules for Use of Cookies

How To Determine If Europe’s GDPR Law Applies to a U.S.-based Retail Business

European Regulator Provides Guidance on Conducting Clinical Trials Under the GDPR