Photo credits: abdullah – fotolia.com
The starting point is a case brought by a German consumer protection association (“Verbraucherschutzzentrale”) against a German online retailer. The Verbraucherschutzzentrale complained that the retailer had integrated the Facebook Like button on its own website without the users of the website having to consent to the transmission of data to Facebook or at least having been informed about it. Against this background, the ECJ had to decide whether data protection violations can be warned at all by consumer protection associations according to the German UWG and whether the online retailer is (joint) controller for the data transfer and possibly the data processing by Facebook.
With the Facebook Like button, the website operator embeds a short code into his website that starts an application on Facebook servers. Facebook can collect data from visitors to the website even if they do not click on the Like button. The data collects include the IP address and data about the device used. If a user has a user account with Facebook, this information will be linked to his user account; however, even if the user is not registered with Facebook, his data will be processed by Facebook. In this particular case the user had no possibility to prevent this data transmission.
The procedure had to be decided according to the law of the EU Data Protection Directive of 1995 (Directive 95/46/EC), not according to the EU General Data Protection Regulation (GDPR). Nonetheless, the judgment is also of considerable significance under the GDPR, since in particular the regulations on joint controllership and the legal bases for data processing have essentially remained unchanged in the GDPR.
The ECJ has ruled that the site operator is not a joint controller if he has no influence on the actual processing by another controller, i.e. if he does not determine the purposes and means of the processing. In this specific case, this means that the retailer is not a joint controller for all of the data processings by Facebook.
However, the ECJ believes that the retailer has influenced the data processing by integrating the plugin on his page and has therefore jointly determined the means of processing with Facebook. With regard to the purposes of the processing, the ECJ believes that the integration of the plugin serves to improve the visibility of the merchant's offers on Facebook and therefore the merchant and Facebook have also jointly defined a purpose (advertising). However, the ECJ restricts the fact that the Düsseldorf Higher Regional Court has to examine the specific circumstances again in detail.
If the mere facilitation of the data collection by another controller leads to a joint controllership, this would probably be the case with every integration of third-party content such as videos, pictures, weather reports, stock market prices, etc. The integration of third-party content enables the data to be collected by the content provider and is usually also in the interest of the integrating website operator.
Unfortunately, the decision does not contain any specific criteria for consideration. The fact that the visitor to the site was not even aware that data would be transmitted to Facebook in the specific case is mentioned several times, but is not taken into account in the determination of joint controllership. This leaves it unclear whether a technical integration, in which data is only transmitted to the other controller when the visitor actively clicks on the plugin or the third party content, would be assessed differently under data protection law. The current ruling of the ECJ can even be understood as meaning that every simple link to another website already triggers a joint controllership. The consequences would be practically unmanageable.
If the data processing is to be based on a legitimate interest, such a legitimate interest must exist with each of the joint controllers.
The ECJ has clearly positioned itself with regard to the warning capability of data protection infringements by consumer associations and considered the national German regulations to be admissible. Whether this assessment can also be applied to the current legal situation under the GDPR is questionable, as the respective regulations differ in content and the GDPR, unlike the Directive, is fundamentally a prior-ranking law. Again, in practice the judgment will raise more questions than it has answered.
The decision considerably increases the liability risks of site operators when integrating plug-ins and third-party content. To the best of our knowledge, providers of external content do not yet offer any corresponding agreements on joint controllership. In a first step, site operators should therefore check whether and, if so, which external content is integrated into their own site. If external content such as social media plugins, map services, videos, images, web fonts, etc. are to remain integrated in the own page, we recommend that they are only loaded or activated after the visitor has actively acted, e.g. by embedding preview images that load the active content only after a click or by using solutions such as the open source solution Embetty (formerly Shariff) originally developed by Heise Verlag. In any case, the data protection declaration should be checked and supplemented if necessary. Depending on the type of external content, a different data protection design may be possible, e.g. processor controller agreements. Talk to your content suppliers about the ECJ decision. We are happy to support you if required.