CJEU “Fashion ID” case: the operator of a website embedding a social media “Like” button can be a controller jointly with the social media editor

On 29 July 2019, the Court of Justice of the European Union (“CJEU”) rendered its judgement in the “Fashion ID” case  (C-40/17). This judgment provides a broad concept on joint-controllership regarding the processing of personal data, in particular via the use of social media tools, and should be read in conjunction with previous decisions taken by the CJEU retaining similar outcomes.

In this “Fashion ID” case, the CJEU held that, under EU data protection legislation, the operator of a website featuring a Facebook “Like” button (i.e. a plugin that entails the transmission of personal data to Facebook) can be seen as acting as controller, jointly with Facebook. In consequence, the website operator is responsible for complying with the legal obligations in this context, and in particular for informing its website visitors that their personal data may be transmitted to Facebook.

Indeed, the “plugin” button permits the transmission of personal data (such as an IP address) to Facebook, while such data processing occurs even though the visitor does not have a Facebook account.

In this case, a German consumer protection association brought a lawsuit against the aforementioned website operator for infringement of the data protection legislation, in particular due to the lack of information provided to the visitors and the failure to obtain their consent (based on Directive 2002/58/EC on privacy and electronic communications).

A German regional court then requested a preliminary ruling of the CJEU asking it to provide interpretation on the European legislation on data protection. The case at hand was discussed under the framework of the former Directive 95/46/EC, as repealed on 25 May 2018 by the EU General Data Protection Regulation 2016/679 (“GDPR”). However, the reasoning held by the CJEU would most likely apply in the context of the GDPR-era as the legal concepts and principles established under the GDPR mainly derive from its “legal ancestor” which is Directive 95/46/EC.

In this context, the CJEU held the position that i) by embedding a social media “plugin” on its website, the website operator rendered it possible for Facebook to receive personal data from its visitors and was therefore to be considered as acting as controller jointly with Facebook for that processing operation; but that ii) the website operator should not be seen as acting as (joint) controller with regard to any subsequent processing operations that Facebook may carry out after having received the personal data, as it would be impossible for the website operator to determine the purposes and means of such processing activities which would be established solely under the control of the social media editor.

Therefore, for the portion of the processing operations for which the website operator acts as a controller, that operator shall inform the visitors (i.e. data subjects) about the processing operations affecting their personal data via the use of the social media “plugin” and shall obtain their consent in this respect if such processing enables the website operator to have access to personal information stored in the data subjects’ terminal equipment by way of cookies deposit or similar technologies.

The outcome of this “Fashion ID” case is not particularly surprising as the CJEU held previous positions relying on quite similar reasoning.

Indeed, with regard to the use of social media tools, the Court ruled on 5 June 20181   that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of personal data of visitors to the page, as according to the Court, that administrator takes part, by its definition of the parameters, in the determination of the purposes and means of the processing, as any Facebook page administrator can obtain anonymous statistical data on visitors via a function called “Facebook Insights” which collects personal data via deposit of cookies.

According to both of these aforementioned CJEU rulings, the fact that a website operator or web page administrator does not have access to the personal data collected and transmitted to the social-media editor does not affect its quality as (joint) controller as long as the party concerned has a role in determining the purposes and means of the processing.

This position is in fact consistent with another previous CJEU ruling2   stating that the joint responsibility of several players for the same processing does not require each of them to have access to the personal data concerned. In this case, the CJEU stated that a natural or legal person, who exerts influence over the processing of personal data, for his own purposes, and who participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller of the processing of personal data (even without having access to the personal data in question).

1 Judgment in Case C-210/16 (5 June 2018) Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH.
2 Judgment in Case C-25/17 (10 July 2018) - Tietosuojavaltuutettu v Jehovan todistajat.