Update Data Protection No. 50
Joint controllership in the integration of third-party website plug-ins - Concluding Opinion of the Advocate General to the ECJ on the "Facebook Like" button
The Court of Justice of the European Union (ECJ) must currently clarify whether and how website operators can legally integrate the so-called "Like" button of Facebook on their website (Case C-40/17). A German online retailer had integrated the "Facebook Like" button into their online shop. Due to the functionality of the "Facebook Like" button, personal information was transmitted to Facebook Ireland each time the website was visited, including the IP address. This transmission took place automatically with each visit, regardless of whether the user had clicked on the "Facebook Like" button or even had a user account on Facebook.
Verbraucherzentrale Nordrhein-Westfahlen e.V. (North Rhine-Westphalia Consumer Center) has filed a cease-and-desist injunction against the online retailer and is of the opinion that the integration of the "Facebook Like" button violates data protection regulations, for example alleging that the user’s consent is required for data processing. The website operatorwas also responsible for data protection, even if they include the "Facebook Like" button only on their website, but do not have any influence on the downstream data processing by Facebook. In the course of the proceedings, the Düsseldorf Higher Regional Court has therefore asked the ECJ, inter alia, whether the online retailer, who includes the "Facebook Like" button on their website, is a data controller of the data processing entailed.
Classification of the dispute
The lawsuit is part of a series of cases before the ECJ dealing with issues of joint controllership in data processing. In June 2018, the ECJ had already decided that joint controllership existed between Facebook Ireland and the operator of a so-called "Facebook Fanpage" (see Case C-C-210/16, see our Update No. 39 of 2018).
Indeed, the questions submitted to the ECJ in the current proceedings concern the interpretation of the Data Protection Directive 95/46/EC, which was in force before the GDPR became effective. However, the pending decision of the European Court of Justice should also be applicable to the currently applicable provisions of the GDPR.
The answers to the questions have, according to the GDPR, far-reaching consequences for companies. Firstly, joint controllers for data processing under Art. 26 GDPR must agree on an arrangement on joint controllership and make the substance of this arrangement accessible to the data subjects. On the other hand, controllers are jointly and severally liable vis-à-vis data subjects. The failure to make such an arrangement ultimately entails significant fines.
On December 19, 2018, the Concluding Opinion of the Advocate General was published at the ECJ in the proceedings concerning the "Facebook Like" button. In his Concluding Opinion, the Advocate General makes a suggestion for the ECJ's ruling, which typically complies with such suggestion. It iss not yet known when the ECJ will make a decision.
According to Article 26 (1) of the GDPR, several parties involved in data processing are to be considered as ‘joint controllers for data processing' when jointly determining the purposes and means of data processing. The key criterion for determining the responsibility of (joint) controllers is the actual impact on the processing purposes and means. In order for joint controllers to be responsible each party involved must have actual influence; however, this does not necessarily mean that the joint controllers have equal decision-making authority.
Integrating the "Facebook Like" button on a website is sufficient
In the Advocate General’s opinion, the threshold for assumption of joint controllership is very low. The Advocate General believes that the mere integration of the "Facebook Like" button and the commercial purposes pursued by those involved suffice to assume responsibility joint controllership.
Indeed, the website operator - unlike in the decision regarding the "Facebook fan page" - is not actively involved in the parameterization of the plug-in ("Facebook Like" button). It is sufficient, however, that the website operator participates in the parameterization by deliberately integrating the plugin on their website. Therefore, merely the integration is deemed (co-)decision-making on the means of data processing.
The common purpose of Facebook Ireland and the website operator is also apparent. Although there is no identical commercial use of personal information, Facebook Ireland and the website operator have pursued general commercial (advertising) purposes that complement each other. That alone is sufficient for the Advocate General to affirm the common definition of the purpose.
Limiting joint controllership to individual stages of processing
However, as a corrective measure to the mere integration of a plug-in being grounds for the assumption of joint controllership, the Advocate General limits joint controllership to the data-processing operations in which the website operator actually contributes to the decision on the means and purposes of data processing.
In the specific case, these are (only) the data collection and transmission to Facebook Ireland. All downstream data processing by Facebook Ireland is the sole responsibility of the same. The website operator is therefore not a controller of the entire chain of all data processing.
The Advocate General confirms in his Concluding Opinion what many feared after the "Facebook Fanpage" decision: The threshold for assuming joint controllership is low. All it takes is the integration of a third-party plug-in on a website that collects and transmits personal information. If the ECJ agrees with the Concluding Opinion of the Advocate General in its ruling, which is generally to be expected, joint controllership will not only apply when integrating a "Facebook Like" button. According to the Advocate General, the integration of other social media plugins (e.g., Xing, Twitter, Instagram, etc.) is likely to trigger joint controllership of the website operator together with the respective plug-in provider as well. However, it is not only so-called social plug-ins that are affected. In the case of website analysis tools and other third-party data-mining tools and content, the question of whether or not they trigger joint controllership will arise in the future well, since providers of such tools typically use the collected data for commercial purposes as well.
If the ECJ agrees with the Advocate General's Concluding Opinion, then companies must review thoroughly whether there is joint controllership before integrating plug-ins and other third-party tools and content on their website. If this question is answered in the affirmative, it remains to be determined for which specific phases of data processing joint controllership exists.
First and foremost, in order to avoid the risk of fines, companies must ensure that there is a sufficient legal basis for data processing via the integrated tool (in particular, consent). An agreement regarding joint controllership is to be concluded with the provider of the plug-in or tool, and the substance of the agreement must be accessible to the data subjects (users). Should the ECJ decide as the Advocate General envisages, it can be expected that corresponding standard agreements will be made available by the major providers (e.g., Facebook).