The Fashion ID judgement: Plugin to be a joint controller

• United Kingdom

• Privacy, data protection and cybersecurity

02-08-2019

The Facebook “Like” button and similar social media plugin technologies (Plugin) are now so commonplace that we perhaps don’t give them a second thought. Plugins provide an easy way for consumers to connect instantly with a preferred brand, product or service online, and an even niftier way for companies such as Facebook to optimise these interactions through targeted advertising.

However, the important judgement of the Court of Justice of the European Union (CJEU) in the Fashion ID case¹ has brought the privacy impact of Plugins into sharper focus.

The CJEU confirmed that a website’s integration of the Facebook “Like” Plugin rendered it a joint controller with Facebook for the personal data collected and sent to Facebook. This decision is likely to have a wider application beyond Facebook and this particular case, and may well apply to other social media and advertising companies operating similar Plugins, cookies, pixels, tags or scripts.

Background

The case was referred to the CJEU by the German courts. Fashion ID, a German online clothing retailer, embedded the Facebook “Like” button on its website, which facilitated the transmission of the website visitor’s personal data to Facebook Ireland.

The transmission occurred as a result of the website including the button, without the visitor being aware of the transmission, and regardless of whether the visitor was a member of Facebook or had clicked the “Like” button. A German consumer protection group brought an action against the retailer in 2015, citing that Fashion ID had failed to comply with certain requirements under the former Data Protection Directive 95/46/EC.

Why is this significant?

The case imposes important data governance obligations on both websites and social media companies when using Plugins and similar technologies. Also, consumers may not have realised until now that their personal data may be transferred to a Plugin owner without them interacting with the relevant button or even having an account with the social media platform. It will be interesting to observe the reaction of social media and ad tech companies operating in the space to see whether tech will be adjusted to respond to this decision.

From a regulatory perspective, a joint controller relationship means that the website and social media operator must meet the obligations under Article 26 GDPR. This involves the parties putting an agreement in place to confirm which entity will be responsible for responding to data subject rights requests from users and providing fair notice. The parties will need to communicate this to website users.

In addition, the website and the social media company must have a lawful basis under GDPR in order to operate the Plugin lawfully. The CJEU suggested that this could be either informed consent from website users before their personal data is transferred to Facebook, or a legitimate interest which necessitates this collection and transfer.

The decision is also of interest in respect of the precedent it sets around the threshold for a determination of joint controllership, which seems to be much lower than perhaps some expected. As this case shows, the concept of joint controllership isn’t new to GDPR, but few want the mantle and risk it involves. We can expect to see more data sharing arrangements declared as joint controller arrangements following this case. See our briefing on the ICO’s draft Data Sharing Code of Practice for more on this point.

What should website publishers do?

Website publishers should review their websites to identify the integration of any Plugins which may be impacted by the Fashion ID case. If yes, they should:

• Address Plugin use, and the collection and transfer of browser personal data to the social media operator in their privacy policies. These need to satisfy the requirements of Article 13 GDPR, but note that it is the responsibility of the social media company to address how they will use the personal data once they receive it in its own privacy policy.

• Agree appropriate joint controller terms with their social media partner(s) for Plugin use:

• It will be interesting to see how the players discharge their joint obligations in practice, and whether we will see, eg Facebook offering joint controller terms on website publishers which integrate its “Like” Plugin (as it has done in the fanpage context). Other social media giants, such as Twitter and LinkedIn, may follow their lead.

• Review, document and implement their lawful basis for the use of the Plugin:

• The lawful basis only needs to relate to the collection and transmission of the personal data.

• We may see social media companies using their tech expertise to integrate consent mechanisms within their Plugin packages to provide a smoother user experience. Website publishers should still review and assess the lawfulness of any social media partner designed consent mechanism.

• On the other hand, where legitimate interests is chosen as the appropriate lawful basis, website publishers should ensure they complete a Legitimate Interests Assessment for this processing to meet their GDPR governance obligations and build in a mechanism to allow browsers to object to this use.

1. Case C-40/17 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV