Blog » THE FACEBOOK “LIKE” BUTTON AND WHAT LIES BEYOND – LUXEMBOURG RULED
THE FACEBOOK “LIKE” BUTTON AND WHAT LIES BEYOND – LUXEMBOURG RULED
21 August 2019
Before the summer break the Court of Justice of the European Union made a decision in a data protection related matter which concerned Facebook as well. The decision may be interesting and useful for everybody who embeds of his website the Facebook “Like” button. In our short article we summarize the most important findings of the Court.
1. The illustrious „Like” button the webpage of Fashion ID
Fashion ID is a German online clothing retailer who embedded on his website the Like social plugin of Facebook.
Embedding the Facebook „Like” button on a webpage basically means that the personal data of the visitors of the that webpage (IP address, browser data) will be transmitted to Facebook.
In relation with the transmission of the data it is irrelevant whether the webpage visitor clicks the “Like” button or not or whether he is a Facebook member or not. That means that someone’s data will be transmitted to Facebook if he visited a webpage on which the Facebook “Like” button was embedded.
2. The consumer protection strikes back
The Verbraucherzentrale NRW, a German association tasked with safeguarding the interest of consumers could not remain indifferent to the fact that the data of the visitor of Fashion ID’s webpage will be obtained by Facebook without the knowledge of the webpage visitor.
That is why Verbraucherzentrale NRW decided to sue Fashion ID to force it to stop that practice. The first instance court party decided in the favour of Verbraucherzentrale NRW but Fashion ID appealed the decision, furthermore Facebook also intervened in the appeal.
In the appeal procedure the court decided that it is necessary for the Court of the European Union to decide in certain data protection related matters thus he requested a preliminary ruling.
3. The main data protection related question and the decision of the Court
The most important data protection related question of the case was whether the operator of a webpage who embeds on his webpage a social plugin which transmits data to the provider of that social plugin can be considered as controller despite that he is unable to influence the processing of the data transmitted.
When examining the question, the Court divided the data processing activities into to categories: to the data processing until the transmission and after the transmission of the data to Facebook. it can be established that after the transmission of the data Fashion ID does not have any influence on the data processing. By contrary, in relation with the collection of the data by the webpage and their transmission to Facebook it may occur that Fashion ID determine the purposes of the processing jointly with Facebook.
Indeed, embedding the “Like” button may provide more publicity to Fashion ID while it may be beneficial to Facebook that he may be able to use the collected data for his commercial purposes. This means that the data processing is carried in the economic interests of both parties, for their jointly determined purpose which could be the basis of them being joint controllers. Further, the fact that Fashion ID does not have access to the collected and transmitted data does not preclude him from being a controller.
4. What are the consequences of being joint controllers?
Given the fact that in relation with the collection and transmission of the personal data to Facebook Fashion ID could be considered as a (joint) controller, by the time of the collection of the data he shall inform the webpage visitors about the data processing activities.
This is particularly important since those people can also visit Fashion ID’s webpage who are not members of Facebook and do not have a Facebook account. Regarding those people the liability of Fashion ID as the webpage operator is even higher.
In fact, basically it is Fashion ID who is in the position to inform the data subjects about the circumstances of the data processing by placing a privacy notice on his webpage and especially about the fact that the mere consulting of the webpage will result in a data transmission to Facebook.
5. Lesson learnt
The basic lesson is that the capacity and liability of (joint) controllership can be based on the joint determination of the processing purposes, for example the common economic interest of the controllers. The capacity of being a controller is independent of the fact whether the controller has access or not to the data.
In brief: if you have influence on the purpose of the processing you may be considered as a controller even if you do not store or do not have access to that data.
As a rather specific lesson you should bear in mind that in case you embed on your webpage the Facebook “Like” button you may be considered as a joint controller together with Facebook and you need to inform the visitors of your webpage that their data will be transmitted to Facebook.
ONLINE CONSUMER CONTRACTS – IS YOUR BUSINESS CONCERNED?
Black Friday is once again around us: the time when online shops and the consumer protection authority cash in some extra income every year. We guess you’ve already read about the extreme discounts and the record-breaking fines by the authorities, so in our article, we will explain, that without your knowledge, your own business can easily step into the field of consumer protection, in which case, your contracts are subject to special rules. In our article, we show you how you can recognize these situations and, of course, summarize the obligations.Read more »
HOW TO TRANSFER PERSONAL DATA TO NON-EEA COUNTRIES? - NEW EDPB RECOMMENDATION
Since in the middle of summer 2020, the Court of Justice of the EU (CJEU) invalidated the Privacy Shield and put into question the applicability of the standard contractual clauses, we were wating for guidance from the European Data Protection Board (EDPR) how to transfer personal data to non-EEA countries in a GDPR-compliant way. Finally, the EDPB broke the silence and provided a 6-step guide which we summarize in this short article.Read more »
THE SUPREME COURT RULED – FLEXIBLE WORKING TIME CAN ONLY BE ORDERED IN WRITING IN HUNGARY
It is often the case that the employer does not clearly regulate the employment relationship of the employees, which later leads to an employment lawsuit. This happened in the case before the Hungarian Supreme Court, where a legal dispute arose in connection with the employee's work schedule, the stake is the payment of several million forints of overtime work compensation to the employee. In our short article, we analyze the Supreme Court’s decision and draw conclusions on how the employer can avoid similar situations.Read more »