The Court of Justice of the European Union ("CJEU") published its long-awaited decision on the use of the Facebook Like-Button on July 29, 2019 (Case C-40/17). One major aspect of the judgment is the question to what extent Facebook and website operators who incorporate the Like-Button into their website are joint controllers under European data protection law. As a result, the CJEU affirms this question and takes a firm stand on the conditions for joint controllership. Against this background, the judgment is of great importance, not only for website operators, but in general for data processing organizations that process personal data together with other parties.
The Facebook Like-Button is a social media plugin which can be integrated by website operators on their homepage via program code. This gives users the option to share the websites on which the Like-Button is integrated on their Facebook profile.
Website operators can thus increase the reach of their websites or the products displayed there. From a technical point of view, a so-called cookie is placed on the users' computer by Facebook when a website on which the Like-Button is implemented is simply accessed. In this case the cookie automatically transmits data to Facebook. Facebook then uses this data to evaluate the user’s behavior and individual preferences. Facebook's aim is to display individualized advertising. This includes not only users of the website who are already registered on Facebook, but also non-members outside of the social network. Facebook also creates corresponding profiles for these users.
The subject of the proceedings before the European Court of Justice was in particular the question of the extent to which the respective website operator, together with Facebook, acts as joint controller for processing the collected personal data within the meaning of Directive 95/46 (the so-called Data Protection Directive). However, due to the concurrent requirements for joint controllership, this question is also relevant for the General Data Protection Regulation ("GDPR"), which has been in force since May 2018 and replaces the Data Protection Directive. In general, joint controllership exists when two or more persons jointly decide on the means and purposes of the processing of personal data. If this is the case, the joint controllers are obligated to sign an agreement specifying who is responsible for compliance with the individual data protection provisions of the GDPR (see Art. 26 GDPR). This applies in particular to the implementation of the rights of data subjects, as well as the duty to provide information. Furthermore, the parties subject to joint controllership are jointly and severally liable vis-à-vis the data subjects for violations of the data protection regulations in the GDPR.
In his Opinion, the Advocate General already took the view that Facebook and the respective website operator using the Like-Button are joint controllers for the personal data collected, since they jointly determine the means and purposes of the data processing. Unsurprisingly, the CJEU has followed the Advocate General's statements in its decision and also affirms the joint responsibility of Facebook and the respective website operator.
As in previous decisions, the CJEU explicitly states that the aim of the Data Protection Directive (and thus also of the GDPR) is to ensure a high level of protection for data subjects, in particular with regard to the processing of personal data. For this reason, the concept of the controller under data protection law is to be interpreted broadly. In this respect, the decisive factor is whether the respective natural or legal person influences the processing of personal data and thus participates in the decision on the purposes and means of processing.
Following this, the CJEU conducts a determined examination of the extent to which there is joint decision-making on the one hand concerning the means and on the other hand concerning the purposes of the processing.
With regard to the means of data processing, according to the CJEU, joint decision-making takes place, since Facebook provides the plugin and the website operator integrates the plugin into its website with the knowledge that personal data is collected and transmitted to Facebook. As a result, both Facebook and the website operator significantly influence the collection and transmission of the personal data collected using the plugin, because without the provision and subsequent integration of the plugin by the website operator, the aforementioned processing would not take place at all. As a result, both Facebook and the website operator have deliberately initiated the collection and transmission of personal data.
With regard to the purpose of data processing, according to the CJEU, the inclusion of the Like-Button by the website operator serves to increase the visibility of its products via the social network. By integrating the plugin on the website, at least the tacit consent of the website operator to the associated data processing takes place, specifically the collection of personal data and the forwarding thereof to Facebook. At the same time, the collected data is used by Facebook for its own commercial purposes. Although there is no identical commercial use of the data in this respect, the website operator and Facebook pursue general commercial purposes that mutually complement each other. Grounds for this conclusion can be found in the fact that the economic benefit for the website operator from the integration of the Like-Button is a kind of consideration for the fact that Facebook can use the collected data for its own economic purposes. As already stated by the Advocate General, there is therefore a unity of purpose despite the lack of an identity of purpose. In the view of the CJEU, this is sufficient for a common definition of the purpose.
At the same time, the CJEU emphasizes that joint controllership is limited to the phases of data processing (or the associated processes) in which the controllers are actually involved and which lie within their sphere of influence. In the view of the CJEU, in connection with the integration of the Facebook Like-Button, this is the collection and transmission of personal data that takes place via the Facebook Like-Button. However, any subsequent phases of data processing, such as the evaluation of user behavior by Facebook, are not subject to joint controllership, as such processing by Facebook takes place outside of the sphere of influence and without knowledge of the website operator.
Based on the previous decision-making practice of the CJEU and the resolutions of the Advocate General, the present judgment does not come as a great surprise. Nonetheless, this judgment, due to the statements contained therein, will also have far-reaching practical implications for data protection law.
This applies, on the one hand, to website operators who have implemented the Like-Button on their website. For them, the judgment means that in the future they will have joint controllership with Facebook in terms of complying with the provisions of the GDPR. It is to be expected that Facebook will provide a corresponding model agreement, as was the case after the CJEU's Facebook Fanpage decision (case C-210/16). However, in terms of content the decision will not be limited only to the Like-Button provided by Facebook, but can also be applied to social media tools from other providers which provide similar processing models.
On the other hand, the decision also provides generally valuable pointers for application in practice, since the CJEU provides important guidelines for the application and interpretation of joint controllership, which can also be applied to other processing arrangements.
For instance, it needs to be noted that a decision on the means of processing already exists if a party knowingly influences the processing in such a way that processing becomes possible or triggered. It is therefore not absolutely necessary for the party involved to influence the means of processing in such a way that it actively influences the parameters of the processing or of the tool, e.g. by adjusting the affected user group. On this point, the judgment differs significantly from the previous decision of the CJEU on joint controllership for the operation of a Facebook fanpage. In this judgment, the CJEU had explicitly pointed out that the operator of a Facebook fanpage can have a sufficient impact on the processing due to the ability to set parameters for the data collected and thus have joint controllership with Facebook. This clarification significantly expands the scope of joint controllership even further.
It should also be highlighted that, according to the CJEU, it is already sufficient to decide on the purpose if a party to the data processing tacitly agrees and thereby obtains an economic advantage that is so closely linked to the purpose pursued by the other party that it is virtually a kind of consideration.
In view of this broad interpretation, the issue of joint controllership will continue to gain in importance. This is especially true for companies that share personal information with other companies, including not only the online space or the use of social networks and social media plugins, but also other areas of data processing, such as shared application management and data sharing platforms or cooperative relationships of several companies with centralized data collection.