On 29 July 2019, the Court of Justice of the European Union handed down its decision in the Fashion ID case, dealing with alleged unlawful data collection through the Facebook Like button and the controllership of said data. In short, the CJEU held that websites containing embedded third-party content can be joint controllers in respect of the collection and transmission of such data, but not the subsequent processing by the third party. Due to the date of the facts, the case was heard under the Data Protection Directive; however, the judgment will also be applicable to the concept of joint controller under the General Data Protection Regulation.
In 2015, the German consumer protection organisation Verbraucherzentrale NRW took legal action against Fashion ID, objecting to the use of a Facebook plug-in on its website. The plug-in automatically transferred the website user’s IP address to Facebook when the user visited the Fashion ID website, without the user having to interact with the plug-in (i.e. without having clicked on the embedded Like button). The consumer organisation argued that this breached data protection legislation.
Under the DPD, a data controller, is an entity which, “alone or jointly with others,” determines the purposes and means of processing personal data. The CJEU’s interpretation of the concept of joint controller is broader. The CJEU held that Fashion ID and Facebook were joint controllers in respect of the collection and processing of the personal data on the website. The fact that Fashion ID did not have access to the personal data collected by Facebook was held to be irrelevant for the purposes of categorising Fashion ID as a joint controller of the data. However, Fashion ID was not a joint controller in respect of subsequent processing by Facebook. The CJEU confirmed that Fashion ID is responsible for satisfying data subject notice requirements and, where necessary under the ePrivacy Directive, collecting consent.
The implications of the Fashion ID decision may not be limited to embedded third-party plug-ins. For example, the rationale for the decision could be applied in the context of cookies, which could have major implications for the adtech industry. The supervisory authorities in the UK and France have both signalled their intent to issue guidance on the adtech sector, and their reports may now have to consider this decision. In any case, Fashion ID confirms that joint controllership is a broad concept.
So, what should website operators do?
- Ensure legal responsibility is delineated in agreements with third parties whose plug-ins are deployed on the site. It is likely that Facebook will update its standard agreements to account for the joint controller status confirmed by this decision.
- Identify an appropriate legal basis for processing. If legitimate interests is relied upon as the legal basis, it is important to remember that a Legitimate Interests Assessment should be conducted and documented.
- Provide the website users with notice of the processing, in order to satisfy the GDPR’s transparency obligations.
Cooley will be monitoring developments in this area and will issue updates on the c/d/p blog.
The CJEU’s full judgment can be found here.