CJEU says websites which embed a Facebook 'like' button are joint data controllers

Facebook 'like' and other social media buttons are often embedded by businesses in their websites to enable users to like and share content. Facebook 'like' buttons collect user data (including IP addresses) as soon as the user lands on the webpage, regardless of whether or not they click on the 'like' button or whether or not they have a Facebook account. This data includes IP addresses and is sent to Facebook. Facebook may then use the data in other processing operations.

There has been a lack of clarity around responsibility for the initial processing of data sent to Facebook from external websites as a result of plugins. A case was brought by a German consumer protection association which claimed the plugin breached then current data protection legislation (the GDPR did not apply at the time but the judgment is relevant under the GDPR).

What's the development?

The CJEU has held that website operators are joint data controllers with respect to data collected and transmitted to Facebook through 'like' plugins The CJEU followed December's AG Opinion and agreed that the website operator was a joint controller with Facebook for a limited time at the specific stage of the data processing in which it was engaged. It was not a joint controller in relation to further processing over which it had no control.

What does this mean for you?

This decision means that where a Facebook or other social media plugin is used, a lawful basis is needed to justify the processing both by the website operator and the operator of the plugin (in this instance Facebook).

Whether or not the lawful basis has to be consent is to be decided by the German courts, but any legitimate interests balancing exercise will have to take account of the legitimate interests of both the plugin operator and the website operator.

Transparency requirements also have to be complied with. This means that the website operator must include appropriate information (most likely in its privacy policy) about the initial data processing resulting from the plugin and that further processing may occur over which it has no control. A link to the privacy policy of the plugin operator will probably be needed.

In addition, a joint controller agreement will be necessary between the website and plugin operators and information about this will also have to be provided to the website visitor.

It is also arguable that this decision will impact any third party content which is embedded in a website which processes personal data, for example, for tracking or analytics.

Read more

See our full summary for more detail and recommendations.