On 29 July 2019, the Court of Justice of the European Union (CJEU) made a judgement long awaited by many, concerning the legal requirements of embedding the Facebook “Like” button into a website (decision of 29 July 2019, C-40/70). With its decision, the CJEU clarifies the controversial question of whether a website operator is responsible for data processing of the website’s users by Facebook. The court also comments on information duties and consent requirements. Although the CJEU ruling is based on the provisions of the former Data Protection Directive, the considerations should equally apply under the GDPR. The decision will require adaptation by many website operators to avoid possible fines or cease and desist claims.
By implementing the Facebook “Like” button into a website, the website operator opens a connection between its users and Facebook. Whenever a user accesses the website, user data, such as IP addresses, will be forwarded to Facebook, regardless of whether the user has a Facebook account. Thus, while the website operator has no influence on how Facebook handles the user data it received from the website operator, by implementing the Facebook “Like” button into the website, the website operator triggered the subsequent data use by Facebook. Up until the judgment by the CJEU, it was not entirely clear to what extent the website operator was responsible for the data transfer to and the data use by Facebook.
According to the CJEU’s ruling, website operators will no longer be able to deny their responsibility with the argument that the data processing in relation to the “Like” button is exclusively conducted by Facebook. The court has clearly positioned itself to the effect that the website operator and Facebook are jointly responsible for the data processing on the website concerning the “Like” button. For the responsibility of the website operator, the CJEU considers it sufficient that the operator has implemented the “Like” button on its website and thereby pursues its own economic interests. Reasoning its decision, the CJEU pointed out that embedding a “Like” button enables the operator to make their goods more visible on Facebook and, thus, optimize the publicity of their goods.
However, the qualification as joint controllers does not exceed to subsequent processing by Facebook following the data collection on the website. This later phase is in the exclusive responsibility of Facebook.
Despite the fact that the Court's observations are based on the interpretation of provisions of the former Data Protection Directive, the judgment is equally relevant under the GDPR. The relevant definitions of the terms "processing" and "controller" have changed only insignificantly within the framework of the GDPR, so that the considerations of the European Court of Justice on the interpretation can be transferred to the current regulatory regime.
For lack of relevance to the decision, the CJEU did not have to decide whether the implementation of the Facebook “Like” button requires the user’s consent. This question still has to be decided by the court of first instance (Higher Regional Court Düsseldorf, decision of 19 January 2017, I-20 U 40/16). However, according to the CJEU, the qualification as joint controllers means that the data use by both Facebook and the website operator need to be justified by a legal basis when processing the data on the website. Thus, in case consent is used as legal basis, the court stated that a valid consent would need to be obtained by the website operator, and it would not be sufficient to rely on Facebook in that regard.
The decision of the CJEU referred to questions regarding the implementation of the Facebook “Like” button. However, the CJEU indicated that its considerations equally apply to other social media plug-ins. Thus, the decision is also relevant for website operators that have integrated e.g. plug-ins for Twitter or LinkedIn.
Further, we expect that the CJEU’s ruling will have impact on any third party content embedded in a publisher’s website in the future, e.g. for tracking or analytics purposes. Therefore, publishers should review whether and in what manner third party content is embedded as well as if the proper technical and legal mechanisms are in place for such integration.
Violations of the requirements for implementing social media plugins can result in fines under the GDPR.
In addition, the CJEU came to the conclusion that consumer protection societies and other third parties are eligible to claim for potential violations of data protection laws on behalf of a data subject in scope of the former Data Protection Directive 95/46/EC. National regulations that allow for such claims do not contradict the harmonized regulations in the Directive, and the Court emphasized that this reflects the intention of the European lawmaker as set out in the GDPR. This is particularly relevant as consumer protection societies are often more aggressive than data protection authorities and the societies are experienced with the enforcement of consumer protection regulations before the courts.
We therefore expect increasing activities by these societies and a stronger focus on data protection non-compliance in future. Thus, we recommend refresher-assess whether your website is in compliance with GDPR (and ePrivacy) requirements.
The qualification as a joint controller does not mean that one controller can rely on the compliance of the other, but that both have to ensure that the obligations under the GDPR are complied with. Thus, following issues should be considered by website operators: