Blog » THE FACEBOOK “LIKE” BUTTON AND WHAT LIES BEYOND – LUXEMBOURG RULED
THE FACEBOOK “LIKE” BUTTON AND WHAT LIES BEYOND – LUXEMBOURG RULED
21 August 2019
Before the summer break the Court of Justice of the European Union made a decision in a data protection related matter which concerned Facebook as well. The decision may be interesting and useful for everybody who embeds of his website the Facebook “Like” button. In our short article we summarize the most important findings of the Court.
1. The illustrious „Like” button the webpage of Fashion ID
Fashion ID is a German online clothing retailer who embedded on his website the Like social plugin of Facebook.
Embedding the Facebook „Like” button on a webpage basically means that the personal data of the visitors of the that webpage (IP address, browser data) will be transmitted to Facebook.
In relation with the transmission of the data it is irrelevant whether the webpage visitor clicks the “Like” button or not or whether he is a Facebook member or not. That means that someone’s data will be transmitted to Facebook if he visited a webpage on which the Facebook “Like” button was embedded.
2. The consumer protection strikes back
The Verbraucherzentrale NRW, a German association tasked with safeguarding the interest of consumers could not remain indifferent to the fact that the data of the visitor of Fashion ID’s webpage will be obtained by Facebook without the knowledge of the webpage visitor.
That is why Verbraucherzentrale NRW decided to sue Fashion ID to force it to stop that practice. The first instance court party decided in the favour of Verbraucherzentrale NRW but Fashion ID appealed the decision, furthermore Facebook also intervened in the appeal.
In the appeal procedure the court decided that it is necessary for the Court of the European Union to decide in certain data protection related matters thus he requested a preliminary ruling.
3. The main data protection related question and the decision of the Court
The most important data protection related question of the case was whether the operator of a webpage who embeds on his webpage a social plugin which transmits data to the provider of that social plugin can be considered as controller despite that he is unable to influence the processing of the data transmitted.
When examining the question, the Court divided the data processing activities into to categories: to the data processing until the transmission and after the transmission of the data to Facebook. it can be established that after the transmission of the data Fashion ID does not have any influence on the data processing. By contrary, in relation with the collection of the data by the webpage and their transmission to Facebook it may occur that Fashion ID determine the purposes of the processing jointly with Facebook.
Indeed, embedding the “Like” button may provide more publicity to Fashion ID while it may be beneficial to Facebook that he may be able to use the collected data for his commercial purposes. This means that the data processing is carried in the economic interests of both parties, for their jointly determined purpose which could be the basis of them being joint controllers. Further, the fact that Fashion ID does not have access to the collected and transmitted data does not preclude him from being a controller.
4. What are the consequences of being joint controllers?
Given the fact that in relation with the collection and transmission of the personal data to Facebook Fashion ID could be considered as a (joint) controller, by the time of the collection of the data he shall inform the webpage visitors about the data processing activities.
This is particularly important since those people can also visit Fashion ID’s webpage who are not members of Facebook and do not have a Facebook account. Regarding those people the liability of Fashion ID as the webpage operator is even higher.
In fact, basically it is Fashion ID who is in the position to inform the data subjects about the circumstances of the data processing by placing a privacy notice on his webpage and especially about the fact that the mere consulting of the webpage will result in a data transmission to Facebook.
5. Lesson learnt
The basic lesson is that the capacity and liability of (joint) controllership can be based on the joint determination of the processing purposes, for example the common economic interest of the controllers. The capacity of being a controller is independent of the fact whether the controller has access or not to the data.
In brief: if you have influence on the purpose of the processing you may be considered as a controller even if you do not store or do not have access to that data.
As a rather specific lesson you should bear in mind that in case you embed on your webpage the Facebook “Like” button you may be considered as a joint controller together with Facebook and you need to inform the visitors of your webpage that their data will be transmitted to Facebook.
CAN THE EMPLOYER EXPAND THE EMPLOYEES’ DUTIES WITHOUT CHANGING THE JOB DESCRIPTION IN HUNGARY?
The position and tasks of the employee are one of the key elements of the employment contract and are typically recorded in the job description. It is often a matter of dispute between the parties whether the employer can unilaterally modify the job description at all, and if so, to what extent. In a recent court decision, a Hungarian appellate court addressed the above question in a situation where the employer supplemented the employee's tasks with new tasks similar to his existing tasks. In this article, we analyse the recent decision on this matter.Read more »
CAN A HARSH FACEBOOK COMMENT BE A LAWFUL GROUND FOR DISMISSAL IN HUNGARY?
Social media platforms significantly changed the ways how people express their opinions: sharing views became easier than ever. On the one hand, this is positive, but on the other hand, it is also dangerous in the employment context, as the employee's opinion may be prejudicial to the employer's interests. A recent decision of the Hungarian Supreme Court gives answer to the question whether the employer can dismiss the employee for expressing his opinion on Facebook.Read more »
NEW EU – US DATA PRIVACY FRAMEWORK - SIMPLIFIED DATA TRANSFER TO THE US
With the Schrems II judgment, which invalidated the Privacy Shield, the CJEU (Court of Justice of the European Union) make it more difficult to comply with the GDPR for companies transferring personal data from the EU to the US. However, the new EU-US Data Privacy Framework (or “Framework”) adopted on 10 July aims to put an end to this situation. But how does the Framework make data transfers between the EU and US easier? In this short article, we explain the basics of the new Framework and answer the above question.Read more »