Joint controller whether you Like it or not...

Do you use one of the Facebook plugins, such as the ‘Like’ button, to anticipate your website visits? Then you might be a joint controller with Facebook. This follows from a recent judgment of the European Court of Justice (‘CJEU’) in the Fashion ID judgment (C-40/17).

The privacy infringing ‘like’ button

The case was brought by a consumer association against a fashion retailer who used the Facebook 'like' button on its website.

The use of such a plugin creates a connection between the website using the plugin and Facebook. In this particular case, it also meant that the IP address and browser string of mere website visitors were automatically forwarded to Facebook. This happened regardless of whether the website visitor clicks on the like button, regardless of whether that person has given his or her consent and even regardless of whether he or she is logged on to Facebook. In addition, cookies (session, datr and fr cookies) were placed by Facebook Ireland on the visitor's device.

The CJEU provided important clarifications regarding this data collection practice in its judgment of 29 July 2019 (here).

The joint controller

Under the GDPR, a ‘controller’ decides on the purposes and means of the processing of personal data. The CJEU previously clarified that the controller is not necessarily limited to a single person. Even the administrator of a fan page on Facebook is jointly responsible with Facebook for processing visitors’ personal data (C-210/16). It is therefore not surprising that here as well the CJEU considers the website operator to be a joint controller.

In the case at hand, the CJEU seems to be concentrating mainly on two aspects:

1. the fact that the retailer had a decisive influence over the processing of the personal data and
2. the own economic benefits it derived from using the plugin. The decisive influence would follow from the choice made by the website operator to install the plugin and thus enabling the transfer of personal data to Facebook. The economic benefits are simply to be considered as the publicity the retailer could receive on social media by using such a plugin.

The fact that the retailer has no influence on the use of the data by Facebook and did not even have access to the personal data in question, was irrelevant to the CJEU. In other words, the ruling indicates that the website operator and Facebook as the service provider of the plugin are likely to be regarded as joint controllers. This could also be applied to plugins similar to those of Facebook (i.e. any plugins that collect and/or transmit personal data).

The case also raises a number of questions. Under the GDPR, joint controllers must make an arrangement about who will execute which controller obligations and this needs to be transparent to the public. Given the amount of website operators using plugins, a huge number of website operators will have to make such an arrangement with Facebook or other service providers of plugins. For practical reasons, it is more likely that the latter will draw up such a standard arrangement. Just like after the Wirtschaftsakademie judgment (C-210/16) when a Joint Controller Addendum was drawn up by Facebook. Yet, there hasn’t been any official response from Facebook on the Fashion ID judgment.

The chain of processing

This case also shows that two separate processing operations of personal data can be regarded as a ‘chain’ of processing operations linked to each other in case of data being transmitted from one controller to the other. But what are the consequences if these processing activities are no longer considered separately? Luckily, the CJEU clarified that the website operator is only responsible for the collection and transmission of data on its own website. The retailer in this case can therefore not be held responsible for the processing of personal data by Facebook.

Consequences and recommendations

The possible qualification as joint controllers entails a number of obligations and other consequences for websites using plugins:

1. Duty to inform website visitors: the website operator must inform its visitors about the collection and transfer of personal information to the third party service provider of the plugin.
2. Duty to obtain prior consent: The website operator should obtain prior consent with regard to the processing activities for which the operator acts as controller.
3. Agreement between joint controllers: Under the GDPR, joint controllers are obliged to agree on who will carry out which controller obligations. This system should reflect the role and relationship of the joint controllers in relation to the data subjects and should also be made accessible. However, it remains to be seen how this will be implemented in practice.
4. Liability and fines: To date, no fine has been imposed in a case involving a joint controller. However, it should be borne in mind that fines have already been imposed when certain data protection principles, such as the obligation to provide information, have been violated. Following the judgement, the joint controller is responsible for “the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means”. This means that, in case of non-compliance of the provision of the GDPR, fines can be imposed. The website operator who fails to inform its visitors on the collection and the transmission of their personal data, could face fines under the GDPR.

In addition, and as explained, Article 26 GDPR imposes an obligation on joint controllers to make an arrangement. The breach of the controller's obligations under Article 26 of the regulation may lead to administrative pecuniary sanctions of up to EUR 10 million or, in the case of an undertaking, up to 2 % of its total worldwide annual turnover in the preceding business year. In other words, it is possible that the non-adoption of such an arrangement could lead to the imposition of a fine.

Side note

The abovementioned Fashion ID case decided on notions found in the European Data Protection Directive 95/46. Since the GDPR replaced that Directive and contains the same definitions and principles, this ruling can be applied equally to the provision written in the GDPR and more specifically in relation to the notion of ‘controller’.