On July 29, 2019, the Court of Justice of the European Union (CJEU) found that a website operator using a social media plugin is a joint controller with the social media company providing the plugin and can be held jointly liable in relation to such processing activities. Although the case was decided under the Privacy Directive 95/46, since the ruling concerns definitions that also exist under the General Data Protection Regulation (GDPR), website operators should take note and may want to review their previous legal bases determinations and notices as well as their existing contractual arrangements with the social media company to ensure they are in compliance with GDPR.
The case arose when a German consumer protection association sued a German online fashion retailer, Fashion ID, for allegedly breaching the then-existing national data protection laws when it enabled the transfer of visitors’ personal data to a third party via a social plugin. The German Higher Regional Court referred the matter to the CJEU.
In the proceedings it became apparent that the social media plugin (a “like” button) on Fashion ID’s website caused the visitor’s browser to request content from the company providing the plugin; then the browser transmitted the visitor’s personal data to the social plugin company. This happened as soon as the visitor consulted the website and regardless of whether or not the visitor:
- was aware of such an operation;
- was a member of the social media platform; or
- had clicked on the plugin.
Website Operator Is a Joint Controller
Even though Fashion ID could not influence the social plugin’s processing activities and did not have access to the data itself, the CJEU determined that Fashion ID is a joint controller. The CJEU reasoned that Fashion ID was a joint controller because it, along with the social media plugin company, “co-determined” the parameters of the data collected by the social media plugin by making the decision to embed the plugin in its website. Furthermore, Fashion ID benefitted from the plugin, as the plugin permitted targeted advertising and increased exposure on the social plugin company’s website. The CJEU noted that the Privacy Directive defines broadly what constitutes a “controller,” and that the concept of a controller does not necessarily refer to a single entity and may concern several actors.
On the other hand, the CJEU also ruled that Fashion ID was only liable in relation to the processing operations where it actually determines the purposes and means – i.e., the collection and disclosure by transmission of the data at issue – but was not responsible for the subsequent operations by the social media company after the transmission to the latter.
Both Joint Controllers Must Be Pursuing a Legitimate Interest
As a joint controller under the Privacy Directive and GDPR Article 6, Fashion ID must have a legal basis for the processing of the personal data to be lawful. While one of the legal bases controllers can rely on is that the processing of the data subject’s personal data is necessary for pursuing a legitimate interest by the controller or a third party, the CJEU clarifies that as joint controllers both Fashion ID and the social media company must be pursuing a legitimate interest to rely on legitimate interest as the legal basis for processing.
Website Operator’s Responsibilities
The CJEU also analyzed whether a website visitor’s consent should be obtained by Fashion ID or the social media plugin company to the extent the parties rely on consent of the data subject as the legal basis for processing. Here, the CJEU ruled that Fashion ID would be responsible for obtaining consent, and that it must do so prior to the collection and disclosure of the data. According to the CJEU, Fashion ID also has the duty to provide data subjects with notice about the processing of their personal data, but its obligations in relation to its status as a joint controller are limited to those processing activities for which it acts as a joint controller.
Takeaways for Website Operators
In light of this decision, website operators subject to the GDPR should consider reassessing their data sharing relationships and:
- assess whether their website visitors’ personal data are collected and shared to a social media company by means of a plugin;
- determine whether they qualify as a joint controller;
- check whether they have a GDPR-compliant joint-controllership agreement with the social media company;
- determine the legal bases for processing in relation to instances where they are joint controllers; and
- assess whether as a controller they are complying with their notice and various other obligations under the GDPR.
If in doubt, do not hesitate to contact the authors of this alert; we will gladly answer specific questions and provide guidance.