The CJEU rules on the use of Facebook “Like” button and other third-party plug-ins

30 Jul 2019

Yesterday, 29 July 2019, the CJEU ruled in the case of Fashion ID, a German online clothing retailer, that embedding a social network plug-in on a website, such as a Facebook “Like” button, designates both Facebook and the site operator as joint controllers of the personal data collected and processed.

Let’s take a step back and explain the facts, because they are important. When a user visits a site that has a Facebook “Like” button (or any other third-party plug-in or tracking device), the site automatically collects and transmits information about the visitor (such as the visitor’s IP address, the browser they’re using, etc.) to Facebook. This information is considered Personal Data under GDPR. Crucially, this information is collected and sent to Facebook whether the user has clicked the “Like” button or not and whether the visitor is a Facebook user or not.

According to Techcrunch, “[l]ast year [Facebook] told the UK parliament that between April 9 and April 16 the button had appeared on 8.4M websites, while its Share button social plug-in appeared on 931K sites.”

The CJEU has ruled that, in relation to this collection of information, both the website operator and Facebook are joint controllers under EU data protection law (the case was based on the old Data Protection Directive, but is still relevant with GDPR now in place).

Under data protection law, joint controllership means that two (or more) entities collectively determine how certain personal data will be processed. Companies generally try to avoid joint control of data for two main reasons. The first is that the joint controllers must agree amongst themselves who will comply with the various GDPR obligations with respect to the processing of the data. For example, they must agree who will give a notice about the processing, who will be responsible for complaints made by data subjects, and so on. The second reason is that both parties are liable for the full compliance with GDPR for the the processing (not just the part that they carry out). Any individual whose data is being processed can exercise his or her rights against either of the joint controllers, regardless of whether that controller carried out the processing they are complaining about or not.

The good news is that the court’s ruling has limited the liability only to the act of the initial collection of data (such as the IP address and browser) in these cases. After the data is collected and transmitted to Facebook, a website operator is not responsible for what Facebook does with that data, which is logical.

Let’s turn back to the ruling. Being a joint controller with Facebook in this case has some odd and potentially onerous implications. I do not expect Facebook to start negotiating with every website operator over which provisions of GDPR each party will be responsible for.  They will undoubtedly, however, clarify this point in their policies, and will dictate the terms to website operators to ensure that the website’s privacy policy contains ample language to comply with transparency requirements under GDPR.

The liability issue, however, is a bit trickier. It will all come down to whether consent is necessary in order to deploy these third-party plug-ins on a website or not.

Last month, both CNIL, the French data protection authority, and the ICO, the UK data protection authority, released guidance on the use of cookies and other similar tracking devices. The conclusion of both sets of guidance is that, save for strictly necessary cookies and online trackers, consent is usually required before any such tool is used. This will likely apply to “Like” buttons and other social media plug-ins, as well as any other tracking tools (such as analytics tools) deployed on websites.  This means that consent will be required before the cookie is placed or the tracking software is deployed onto the site.

What are the takeaways?

First, companies must check their privacy policies and fair processing notices to ensure that the collection and transmission of visitors’ personal data by means of third-party plug-ins are adequately covered and disclosed.

Second, if consent is the only lawful basis for using these technologies going forward, it must be obtained before the tool is used in order to be deemed valid. This might mean that the technology itself will need to change to ensure that consent is obtained prior to deployment. In response to a question from Techcrunch, Facebook has admitted “it may make changes to the Like button to ensure websites that use it are able to comply with Europe’s GDPR.”

Finally, companies must realise the risks associated with the use of third-party plug-ins, essentially accepting joint liability with the third-party for the initial processing of personal data. On the flip side, for owners of third-party tracking tools, such as website analytics providers which allow the deployment of cookies on their customers’ websites, this risk will need to be carefully assessed and mitigated. The lack of a clear and transparent processing notice on a customer’s site stating that they transfer certain data to the analytics provider, for example, will allow a data subject to come knocking at the analytics provider’s door demanding answers.

It remains to be seen how widely this joint controllership concept will be adopted and applied by the regulators and the courts, and whether broad liability for both parties will become the new norm. For now, all we can do is be aware of the risks and try our best to minimise them.


Article written by Avishai Ostrin, Data Protection & Privacy Specialist, Asserson