The operator of a website embedding a third-party plug-in, such as the Facebook ‘Like’ button, which causes the collection and transmission of the users’ personal data, is jointly responsible with Facebook for that stage of the data processing, Advocate General (AG) Michal Bobek has recently opined.

EU law secures the right of every individual to protect personal data concerning him or her and to ensure that such data is only processed lawfully by any person, be it natural or legal, who is in possession of such data. The General Data Protection Regulation (GDPR) which has since last May replaced the data protection directive, lays down a robust legal framework in order to ensure that EU citizens’ rights in this respect are safeguarded to the utmost extent.

The facts of this case were briefly as follows. Fashion ID is a German online retailer which sells fashion items. It embedded a plug-in on its website: Facebook’s ‘Like’ button. This means that when a user lands on Fashion ID’s website, information about that user’s IP address and browser string is transferred to Facebook. Such transfer occurs automatically when Fashion ID’s website has loaded, irrespective of whether the users clicked on the ‘Like’ button and whether they have a Facebook account or not.

A German consumer association brought legal proceedings for an injunction against Fashion ID on the ground that the use of the Facebook ‘Like’ button results in a breach of data protection legislation. The national court seized of the case, sought guidance from the Court of Justice of the European Union (CJEU) as to the application of the provisions of the predecessor of the current GDPR, the 1995 Data Protection Directive, to the facts of the case at hand.

A data controller can only legally process personal data if three cumulative conditions are fulfilled

In his Opinion, the AG maintained that Fashion ID and Facebook Ireland were co-deciding on the means and purposes of the data processing at the stage of the collection and transmission of the personal data at issue.

He observed that both voluntarily caused the collection and transmission stage of the data processing and that they both had one common purpose, namely, a commercial and advertising one. The objective behind Fashion ID’s decision to embed the Facebook ‘Like’ button on its website was to increase visibility of its products via the social network.

Therefore, with respect to the collection and transmission stage of the data processing, Fashion ID was acting as a joint controller with Facebook Ireland and its liability was, to that extent, joint with that of Facebook Ireland.

AG Bobek observed that obviously the website operator’s responsibility was limited to those operations for which it co-decides with Facebook and could not be held liable for either the previous and later stages of the overall chain of processing.

The AG also affirmed that, in terms of the then applicable Data Protection Directive and in the absence of the data subject’s consent, a data controller can only legally process personal data if three cumulative conditions are fulfilled. These conditions namely referred to the pursuit of a legitimate interest by the data controller or by the third party to whom the data are disclosed, the need to process personal data for the purposes of the legitimate interests pursued and the assurance that the fundamental rights and freedoms of the data subject are respected. This means that, in the case under examination, the legitimate interests of both joint controllers – Fashion ID and Facebook Ireland – had to be taken into account and balanced against the rights of the website users.

If the controllers could not prove a legitimate interest and could only rely on consent as a legal basis for the data processing, then the operator of the website Fashion ID was obliged to obtain the consent of the website user to process his/her data. He was also obliged to provide such user with any information which legally ought to be given to the data subject.

Though in its decision, the CJEU can now opt to either discard or take on board the AG’s recommendations, the Opinion given by the AG highlights the importance of ensuring the utmost protection of a person’s personal data which includes a person’s IP address and browser string.

In a day and age, when social media is often used by business operators as a platform to advertise their services and products, such operators must ensure that this is not done to the detriment of the rights of individuals.

Mariosa Vella Cardona M’Jur, LL.D., is a freelance legal consultant who specialises in European law, competition law, consumer law and intellectual property law.mariosa@vellacardona.com.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.