The operator of a website that features a Facebook ‘Like’ button can be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website
By contrast, that operator is not, in principle, a controller in respect of the subsequent processing of those data carried out by Facebook alone.
FashionID, a German online clothing retailer, embedded on its website the Facebook ‘Like’ button.The consequence of embedding that button appears to be that when a visitor consults the website of FashionID, that visitor’s personal data are transmitted to Facebook Ireland.
It seems that that transmission occurs without that visitor being aware of it and regardless of whether or not he or she is a member of the social network Facebook or has clicked on the ‘Like’ button.
Verbraucherzentrale NRW, a German public-service association tasked with safeguarding the interests of consumers, criticises FashionID for transmitting to Facebook Ireland personal data of visitors to its website, first, without their consent and, second, in breach of the duties to inform set out in the provisions relating to the protection of personal data.The Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf, Germany), which is hearing the dispute, requests the Court of Justice to interpret several provisions of the former Data Protection Directive of 19951(which remains applicable to this case, but has now been replaced by the new General Data Protection Regulation of 20162 with effect from 25 May 2018). In its judgment, the Court finds, first, that the former Data Protection Directive does not preclude consumer-protection associations from being granted the right to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data. The Court notes that the new General Data Protection Regulation now expressly provides for this possibility.The Court holds, second, that it appears that FashionID cannot be considered to be a controller in respect of the operations involving data processing carried out by Facebook Ireland after those data have been transmitted to the latter. It seems, at the outset, impossible that FashionID determines the purposes and means of those operations. By contrast, FashionID can be considered to be a controller jointly with Facebook Ireland in respect of the operations involving the collection and disclosure by transmission to Facebook Ireland of the data at issue, since it can be concluded (subject to the investigations that it is for the Oberlandesgericht Düsseldorf to carry out) that FashionID and Facebook Ireland determine jointly the means and purposes of those operations.
It appears, inter alia, that FashionID’s embedding of the Facebook ‘Like’ button on its website allows it to optimise the publicity for its goods by making them more visible on the Facebook social network when a visitor to its website clicks on that button. The reason why FashionID seems to have consented, at least implicitly, to the collection and disclosure by transmission of the personal data of visitors to its website by embedding such a buttonon its website is in order to benefit from that commercial advantage. Thus, those processing operations appear to be performed in the economic interests both of FashionID and of Facebook Ireland, for whom the fact that it can use those data for its own commercial purposes constitutes the consideration for the benefit to FashionID.The Court makes clear that the operator of a website such as FashionID, as a (joint) controller in respect of certain operations involving the processing of the data of visitors to its website, such as the collection of those data and their transmission to Facebook Ireland, must provide, at the time of their collection, certain information to those visitors such as, for example, its identity and the purposes of the processing.The Court has also provided further information in respect of two of the six cases provided for in the directive in which the processing of personal data can be considered lawful.Thus, with regard to the case in which the data subject has given his or her consent, the Court holds that the operator of a website such as FashionID must obtain that prior consent (solely) in respect of operations for which it is the (joint) controller, namely the collection and transmission of the data.With regard to the cases in which the processing of data is necessary for the purposes of a legitimate interest, the Court finds that each of the (joint) controllers, namely the operator of a website and the provider of a social plugin, must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in that regard