If a website operator embeds a social plugin, such as the Facebook “Like” button, this triggers the collection and transmission of the visitors’ personal data to the plugin provider. The processed data include the IP address and the page content accessed by the visitors and are transmitted automatically by the browser even if the visitor does not have a social media account and regardless of whether the visitor clicks on the button.
This caused a legal dispute in Germany after the Verbraucherzentrale NRW, a public-service association tasked with safeguarding the interests of consumers, brought legal proceedings against the online retailer FashionID that used such social plugins, collecting and transmitting personal data to Facebook Ireland without informing its visitors or requesting their consent. Following a decision of the Regional Court Düsseldorf that ruled against FashionID, the Higher Regional Court Düsseldorf referred the case to the Court of Justice of the European Union (CJEU) requesting interpretation of several provisions of the former Data Protection Directive of 1995.
Although the Directive was repealed by the General Data Protection Regulation (GDPR) last year, the recent judgement of the CJEU can lead to a better understanding of the current European data protection law.
Admissibility of the Action
The Court held that consumer protection associations are granted the right to bring legal proceedings against a party that is allegedly responsible for the infringement of the protection of personal data under both the former Directive and the new General Data Protection Regulation.
Processing of Data
The Court found that FashionID shall be considered a joint controller together with Facebook Ireland regarding the processes it has influence on, namely the collection and transmission of personal data on its website. However, FashionID is not liable for the data processing carried out by Facebook after the data has been transmitted.
Therefore, the website operators must thoroughly inform their visitors about the data processing operations. Furthermore, a legal basis is necessary to lawfully process the personal data of the website visitors. The Court provides interpretation of two of the legal grounds enlisted in Article 6 GDPR.
The website operator must obtain the consent of the visitors regarding the operations in which it acts as a joint controller, namely the collection and transmission that occurs through the website plugins.
When it comes to the pursuit of a legitimate interest, it can be a legal basis only if the processing is necessary for the legitimate interests of both joint controllers.
A social plugin brings a lot of advantages for a website such as bigger outreach of its content, optimisation of its visibility on social media, keeping track on the popularity of the goods offered. In order to still use it and avoid liability, a website operator should inform the website visitors on all points enlisted in Article 13 GDPR such as the ways it processes data, the purposes of processing and legal grounds and the recipients of the data. In most cases these would be Facebook and Google as the most popular social plugin providers.
Case C-40/17, CJEU, Second Chamber, 29 July 2019, available at: http://curia.europa.eu/juris/document/document.jsf;jsessionid=C928F3FB3CCCF093027557F27F1CCD39?text=&docid=216555&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=8508664