Not “Liking” the Responsibility for Data Protection
A Facebook ‘Like’ button makes you a joint controller in the EU.
The European Court of Justice recently addressed the use of a Facebook “Like” button by Fashion ID GmbH & Co. KG (“Fashion ID”), an online clothing retailer, on their website. Facebook Ireland Ltd. (“Facebook”) acted as an intervenor in the case.
The ECJ ruled that the operator of a website that embeds a social plugin, such as Facebook’s ‘Like’ button, which causes the browser of a visitor to that website to request content from the provider of the plugin and transmit to that provider the personal data of the visitor can be considered a controller within the meaning of Article 2(d) of the Data Protection Directive, and therefore subject to various obligations.
Article 2(d) of that directive provides that:
“controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or [EU] laws or regulations, the controller or the specific criteria for his nomination may be designated by national or [EU] law.
Any visitor on the Fashion ID website had their personal data transmitted to Facebook due to the inclusion of the ‘Like’ button on their website. This transmission of data occurred, without notice to the visitor, regardless of whether that visitor was a member of Facebook or had clicked on the ‘Like’ button.
However, the court held that joint liability does not imply equal responsibility. When operators are involved at different stages of the processing of personal data and to different degrees, the liability to be imposed on the various controllers will be assessed according to the specific circumstances of the case. The court concluded that a further investigation was needed to determine the degree of liability for each of Fashion ID and Facebook.