On 29 July 2019 the European Court of Justice rendered its preliminary ruling in Case C-40/17 Fashion ID GmbH & Co. KG v. Verbraucherzentrale NRW eV providing insight on the limits of a controller’s responsibilities under Directive 95/46 and possibly under the GDPR.
Fashion ID, an online clothing retailer, embedded on its website the ‘Like’ plugin of Facebook which transmits certain data of the visitors (IP address, browser’s technical data) to Facebook Ireland regardless of whether the visitor has actually clicked on the button. The operator of the website could not control what data the browser transmits or what Facebook does with those data. A German consumer protection organization brought actions against Fashion ID for transmitting to Facebook Ireland personal data belonging to visitors to its website, first, without their consent and, second, in breach of its duties to inform data subjects.
Unsurprisingly, the ECJ reconfirmed previous case law (Google Spain and Google, Wirtschaftsakademie Schleswig-Holstein) to find that Fashion ID and Facebook Ireland act as joint controllers with respect to the processing operations involving the collection and transmission of the personal data of the website’s visitors. However, since Fashion ID does not determine the purpose and means of any further processing carried out by Facebook Ireland once the data is transmitted, its responsibility is limited only to those two operations. As to the applicable legal basis for that processing, in the absence of a consent by the site visitor and a requirement for such consent under Directive 2002/58 and the relevant local legislation, each of the website operator and the third party provider of the plugin should pursue a legitimate interest. If a website operator would prefer relying on consent, it is sufficient for them that such consent covers the collection and transmission of the data to the third party provider. The same applies to the duty to inform the data subjects.
So what’s the impact of the ECJ’s new ruling? Apparently, since website operators using third party plugins and plugin providers act as joint controllers, they should have in place agreements under Article 26 of the GDPR. Website operators would be well advised to make sure that: (1) they know what data is actually transmitted to the third party provider so as to (a) assess whether they have a legitimate interest in using the plugin, (b) determine whether Directive 2002/58 applies to such data and to what extent and (c) be able to properly fulfill their duty to inform the page visitors, and (2) no personal data is transmitted to companies located outside the EU without the necessary safeguards under the GDPR.
On the other hand, providers of plugins such as Facebook should be careful in how they use the data transmitted to them and in particular, whether they could rely on a legitimate interest or should seek assistance from the website operators in obtaining an appropriate consent from the outset.
* The information and opinions expressed in this article are not a legal advice and should not be relied upon as such.