This post is also available in: Español
In its judgment of July 29, 2019, the Court of Justice of the European Union (“CJEU”) ruled that the website administrator of a social media platform that includes the “Like” module, through which personal data are transferred to the provider of this module, will be considered data controller, within the meaning of Directive 95/46 (the “Directive”), albeit only for the processing operations for which it has determined the means and purposes.
This case arose when Fashion ID, an e-commerce company engaged in the sale of garments, inserted the “Like” module from the social media platform Facebook on its website. The referring court’s resolution infers that, when a person visits Fashion ID’s website, personal data are transferred to Facebook Ireland because it includes this button. This transfer of personal data occurs without visitors being aware of it and regardless of whether they are members of Facebook’s social network or whether they click the “Like” button.
In this context, Verbraucherzentrale NRW, a non-profit association for the defense of consumer interests, sought an injunction from the Regional Civil and Criminal Court of Düsseldorf against Fashion ID to put an end to the transfer of personal data of the visitors to its website without their consent and without having being informed of the processing of personal data.
In these circumstances, the Regional Superior Civil and Criminal Court of Düsseldorf requested a clarification of the interpretation of several provisions of the Directive from the CJEU.
First, it asked whether the administrator of a website, such as Fashion ID, which inserts a module such as the “Like” button that makes it possible to collect personal data, can be considered personal data controller under the Directive.
The CJEU stated that, in cases in which there is joint responsibility for processing, the agents do not necessarily have equal liability; rather, they can be involved in the processing of the data to different degrees and at different stages. Consequently, Fashion ID is not liable for the processing operations prior or subsequent to its participation, with respect to which it does not determine the purposes or means of the processing.
Nonetheless, in the framework of the main dispute, the CJEU ruled that, by inserting the “Like” module on its website, Fashion ID decisively influences the processing in the collection and transfer of personal data to Facebook Ireland, and both parties are jointly liable for the data processing. Furthermore, the CJEU ruled that data processing yields an advertising and promotional benefit for both Fashion ID and Facebook Ireland, as both jointly determine the purposes of the disputed processing operations, which are performed in their respective economic interest.
The CJEU concluded that a website administrator such as Fashion ID that inserts a module such as “Like” on a site, allowing the transfer of visitors’ personal data to the provider of that module, can be considered liable for the data processing, limiting this liability to the processing operation whose purposes and means it determines, in this case the collection and communication of the data.
The CJEU responded in the same manner to the following preliminary issues. Specifically, the CJEU stated that, given that both Fashion ID and Facebook Ireland must be jointly considered data controllers, each of them must fulfill the information and consent obligations in relation to the processing activities for which they determine the means and purposes.
Thus, given that the data owner must give its consent prior to the collection and communication of data, it is up to Fashion ID, and not to Facebook Ireland, to obtain such consent, insofar as it a visitor visiting the website that triggers the personal data processing process. Otherwise, effective and appropriate protection of the interested parties’ rights would not be guaranteed, if the consent were only given to the joint controller acting subsequently, i.e., Facebook Ireland. However, the consent that must be given solely refers to the operation or series of data processing operations whose purposes and means it effectively determines.
With regard to those data processing operations necessary to satisfy a legitimate interest, the CJEU states that each of the joint controllers, i.e., Fashion ID and Facebook Ireland, must pursue a legitimate interest so that these operations are justified.
This post is also available in: Español