CJEU rules that companies using social plugins are liable for the collection and transmission of data

On 29 July 2019, the Court of Justice of the European Union (the "CJEU") ruled that a company embedding on its website a social plugin, such as a Facebook “Like” button, can be considered a data controller, when the inclusion of the plugin results in the browser of a visitor fetching content from the plugin provider and sending personal data of the visitor to that provider.

On 29 July 2019, the Court of Justice of the European Union (the "CJEU") ruled that a company embedding on its website a social plugin, such as a Facebook “Like” button, can be considered a data controller, when the inclusion of the plugin results in the browser of a visitor fetching content from the plugin provider and sending personal data of the visitor to that provider. The CJEU found that although the company may not be found responsible for the subsequent processing of data carried out by the social plugin provider, it is nevertheless responsible for facilitating the collection and transmission of data to the plugin provider via the insertion of the plugin on the website.

In the case at hand, an online fashion retailer, Fashion ID, embedded the Facebook 'Like' button on its webpage. It is alleged that whenever users visited the Fashion ID website, the visitors’ information would be transmitted to Facebook as a result of the button being embedded on the website "whether or not he or she is a member of the social network Facebook or has clicked on the Facebook ‘Like’ button."

Consumer advocates part of the German public-service association Verbraucherzentrale NRW then initiated legal proceedings in Germany against Fashion ID to force it to stop embedding the 'Like' button, arguing that Fashion ID's customers were not aware that the mere presence of the 'Like' button on the website meant that information concerning them would be transmitted to a social media platform, even if these customers did not actually use or click on the button. The German court referred the questions to the CJEU for guidance on the matter.

Joint controllership status due to the embedding of the social plugin

The CJEU found that the company was a joint controller, despite its inability to influence the processing of the data transmitted to the plugin provider: according to the CJEU, "the existence of joint liability does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data" and that "the level of liability of each of them must be assessed with regard to all the relevant circumstances of the particular case". It was not contested in the proceedings before the CJEU that the transferred data qualified as 'personal data' since that was the conclusion reached by the referring court.

Although the case was decided under the European Data Protection Directive 95/46, the ruling is relevant to the GDPR since the same definitions and concepts can be found in the GDPR. As a reminder, article 4 of the European Data Protection Directive 95/46 defines a controller as the entity who "determines the purposes and means of the processing of personal data" – the same definition can be found in article 4 of the GDPR.

Therefore, if an entity is making meaningful decisions about 'the purposes and means of processing', then it is a controller. In this regard, the CJEU noted that the concept of a 'controller' does not necessarily refer to a single entity and may concern several actors, as per the CJEU's prior judgments C‑210/16 of 5 June 2018 and C‑25/17 of 10 July 2018 where it held that the joint responsibility of several actors for the same processing does not require each of them to have access to the personal data concerned. As a side note, in Case C-210/16, the CJEU had previously found that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data relating to visitors of its page.

As a result, if Fashion ID has “made it possible” for a plugin provider to collect information from visitors by embedding the social plugin on its website, then it is a 'controller' in accordance with European data protection law: according to the CJEU, this is because the company has exerted "a decisive influence over the collection and transmission of the personal data of visitors" to the plugin provider because the processing would not have occurred without the plugin being embedded in the website.

In addition, according to the CJEU, "the reason why Fashion ID seems to have consented, at least implicitly, to the collection and disclosure by transmission of the personal data of visitors to its website by embedding such a plugin on that website is in order to benefit from the commercial advantage consisting in increased publicity for its goods". Thus, if a company gets some form of benefit from the use of the social plugin, such as a "commercial advantage consisting in increased publicity for its goods", then it appears that such company has in fact determined the purposes of the processing involving the collection and disclosure of personal data to the plugin provider.

However, the CJEU found that the company could only be held liable for the processing operations where it effectively 'determines the purposes and means of the processing of personal data' (in this case, the collection and transmission of the personal data of visitors to the plugin provider), but could not be held liable for the processing operations carried out by the plugin provider after the transmission of the data took place.

Legitimate interest requirement

Given the CJEU's above finding that both the website operator and the provider of the social plugin are 'joint controllers', it is necessary for the company to have a legal basis for the processing of the personal data. In this respect, the CJEU clarified that it is necessary that each of the joint controllers, namely the operator of the website and the plugin provider, must pursue a legitimate interest in relation to the collection and transmission of personal data in order for those operations to be justified in that regard.

Duties imposed on website operators

The CJEU further stated that the website operator has a duty to inform the visitors of the website and to obtain the consent of such visitors in relation to the processing of personal data, although these obligations only relate to the processing activities in respect of which it actually determines the purposes and means. In particular, the CJEU found that it is for the operator of the website, rather than for the provider of the social plugin, to obtain the consent of visitors, since it is the fact that the visitor is accessing or consulting the website that triggered the processing of personal data. The CJEU further confirmed that the operator of the website must provide certain information to visitors of the website (such as the identity and purposes of the processing) prior to the collection and disclosure of the data.

So what does this all mean in practice?

First, it is important to note that the CJEU did not make any statement as to what the 'Like' button is actually doing in practice and left that determination up to the German court who referred the question. In fact, the CJEU has repeatedly stated throughout the decision that it is "subject to the investigations that it is for the referring court to perform". Therefore, if no personal data is in fact collected pursuant to the display of the 'Like' button or the use of other social plugin, then the outcome of the case would be different. This also means that the ruling is not limited to the 'Like' button or other social plugins: as long as personal data is collected by a website and transmitted to a third party, then it is likely that the CJEU would apply the same reasoning.

Secondly, the decision sheds some light as to the concept of 'controller' and 'joint controller': as long as an entity “makes it possible” for another to collect personal data of website visitors, then it appears to qualify as a 'controller' of personal data. That is not to say that every entity who plays a role of facilitator in the collection or transmission of personal data automatically becomes a 'joint controller' under data protection laws. Instead, the 'joint controller' status is likely to be limited to processing operations for which it effectively co-decides on the means and purposes of the processing of the personal data. In the absence of such co-decision, the entity is unlikely to be deemed a joint controller. Nevertheless, this co-decision requirement can take many shapes since it appears that such requirement can be met whenever a website operator integrates a plugin into its website and derives some form of benefit from the integration (e.g. making products more visible on a social media platform).

In short, this ruling means that website operators should review the contents of their website to determine if they contain any (social) plugins and if the website visitors’ personal data are collected and shared with a third party, in which case they should determine their legal status, review their existing arrangements with the providers of such plugins as well as review their notices and legal bases determinations.