Blog » THE FACEBOOK “LIKE” BUTTON AND WHAT LIES BEYOND – LUXEMBOURG RULED
THE FACEBOOK “LIKE” BUTTON AND WHAT LIES BEYOND – LUXEMBOURG RULED
21 August 2019
Before the summer break the Court of Justice of the European Union made a decision in a data protection related matter which concerned Facebook as well. The decision may be interesting and useful for everybody who embeds of his website the Facebook “Like” button. In our short article we summarize the most important findings of the Court.
1. The illustrious „Like” button the webpage of Fashion ID
Fashion ID is a German online clothing retailer who embedded on his website the Like social plugin of Facebook.
Embedding the Facebook „Like” button on a webpage basically means that the personal data of the visitors of the that webpage (IP address, browser data) will be transmitted to Facebook.
In relation with the transmission of the data it is irrelevant whether the webpage visitor clicks the “Like” button or not or whether he is a Facebook member or not. That means that someone’s data will be transmitted to Facebook if he visited a webpage on which the Facebook “Like” button was embedded.
2. The consumer protection strikes back
The Verbraucherzentrale NRW, a German association tasked with safeguarding the interest of consumers could not remain indifferent to the fact that the data of the visitor of Fashion ID’s webpage will be obtained by Facebook without the knowledge of the webpage visitor.
That is why Verbraucherzentrale NRW decided to sue Fashion ID to force it to stop that practice. The first instance court party decided in the favour of Verbraucherzentrale NRW but Fashion ID appealed the decision, furthermore Facebook also intervened in the appeal.
In the appeal procedure the court decided that it is necessary for the Court of the European Union to decide in certain data protection related matters thus he requested a preliminary ruling.
3. The main data protection related question and the decision of the Court
The most important data protection related question of the case was whether the operator of a webpage who embeds on his webpage a social plugin which transmits data to the provider of that social plugin can be considered as controller despite that he is unable to influence the processing of the data transmitted.
When examining the question, the Court divided the data processing activities into to categories: to the data processing until the transmission and after the transmission of the data to Facebook. it can be established that after the transmission of the data Fashion ID does not have any influence on the data processing. By contrary, in relation with the collection of the data by the webpage and their transmission to Facebook it may occur that Fashion ID determine the purposes of the processing jointly with Facebook.
Indeed, embedding the “Like” button may provide more publicity to Fashion ID while it may be beneficial to Facebook that he may be able to use the collected data for his commercial purposes. This means that the data processing is carried in the economic interests of both parties, for their jointly determined purpose which could be the basis of them being joint controllers. Further, the fact that Fashion ID does not have access to the collected and transmitted data does not preclude him from being a controller.
4. What are the consequences of being joint controllers?
Given the fact that in relation with the collection and transmission of the personal data to Facebook Fashion ID could be considered as a (joint) controller, by the time of the collection of the data he shall inform the webpage visitors about the data processing activities.
This is particularly important since those people can also visit Fashion ID’s webpage who are not members of Facebook and do not have a Facebook account. Regarding those people the liability of Fashion ID as the webpage operator is even higher.
In fact, basically it is Fashion ID who is in the position to inform the data subjects about the circumstances of the data processing by placing a privacy notice on his webpage and especially about the fact that the mere consulting of the webpage will result in a data transmission to Facebook.
5. Lesson learnt
The basic lesson is that the capacity and liability of (joint) controllership can be based on the joint determination of the processing purposes, for example the common economic interest of the controllers. The capacity of being a controller is independent of the fact whether the controller has access or not to the data.
In brief: if you have influence on the purpose of the processing you may be considered as a controller even if you do not store or do not have access to that data.
As a rather specific lesson you should bear in mind that in case you embed on your webpage the Facebook “Like” button you may be considered as a joint controller together with Facebook and you need to inform the visitors of your webpage that their data will be transmitted to Facebook.
LAWFUL DISMISSAL IN HUNGARY - PART VI: TERMINATION WITHOUT NOTICE
In the last two articles of our series on “lawful dismissal” we present the most severe sanction that can be applied to an employee, the immediate (formerly: extraordinary) termination. This measure is applied in serious incidents only, so many employers believe that they will not need to use the sanction. But, as we know, the devil does not sleep and it is in the details, so the employer needs to be prepared for this scenario as well to avoid further inconvenience.Read more »
5 CURRENT GDPR-FINES ACROSS EUROPE – LEARN FROM OTHERS’ MISTAKES
The supervisory authorities in Europe controlling compliance with the GDPR have not sat on their hands in the last couple of months. In this short article we collected five interesting cases from the recent past. The wide discretionary powers of the data protection authority is well illustrated by the fact that sometimes the GDPR fine was only EUR 2000, but in another case a company has been fined for EUR 11,5 Million! Continue reading if you would like to avoid the same or similar expensive errors.Read more »
LAWFUL DISMISSAL IN HUNGARY - PART V: PROTECTION AGAINST DISMISSAL
In the previous articles on the lawful dismissal, we discussed that, ranging from the employee’s behaviour to the employer’s reorganization, there can be many legitimate reasons for dismissal by the employer. However, irrespective of the legitimate reason, the employment relationship cannot be terminated if the employee is protected against dismissal by law (i.e. the Labour Code). From our article, you can learn about these protections.Read more »