According to a recent European Court of Justice (ECJ) decision, an operator of a website who features the Facebook "Like" button can be liable if he has not sufficiently informed a website visitor about data protection. What consequences does this decision have for companies?
Many website operators embed the Facebook "Like" button on their websites, a so-called social plugin. Personal data (e.g. IP address or technical information about the browser) are transmitted to Facebook as soon as the website is called up - regardless of whether or not he or she is a member of the social network Facebook or has clicked on the “Like” button.
Fashion ID, a German online clothing retailer, embedded on its website the Facebook “Like” button. Consequently, the personal data of the website visitor consulting the website of Fashion ID are automatically transmitted to Facebook. A German public-service consumer association, Verbraucherzentrale NRW, brought a complaint before the Higher Regional Court Düsseldorf (Oberlandesgericht Düsseldorf). The association criticised that Facebook had not obtained the consent of the website visitors for the processing of their data. In addition, Facebook did not inform website visitors in a way that complied with data protection regulations. The Higher Regional Court Düsseldorf requested the ECJ to interpret a regulation of the Data Protection Directive, which had been applicable before the General Data Protection Regulation (GDPR) had come into force on 25th May 2018.
The ECJ decision made clear that website operators like Fashion ID as well as Facebook can be held responsible for the data processing of website visitors. The Court found that in order to optimise its product advertisement by embedding Facebook "Like" buttons, Fashion ID can be considered to be a controller jointly with Facebook in respect of the operations involving the data collection and disclosure by data transmission to Facebook. Data processing (surrender, transmission and evaluation) could also be lawful without the consent of the website’s visitors for the purposes of legitimate interests. In any case, website operators must inform website visitors about data processing itself as well its purposes.
Regardless of this, Facebook is responsible for any further processing of the personal data transmitted to it.
The decision of the ECJ is in line with the decision of 5 June 2018 (Case C-210/2016): Deviating from German courts of instance, the ECJ decided that operators of Facebook fanpages have joint data protection responsibility with Facebook for user tracking on the website. The European Court of Justice is therefore increasingly making website operators subject to data protection obligations, which increases liability risks for companies.
In order to avoid liability risks, companies should comprehensively check their web presence. In particular, it should be checked whether
Dr Michael Herold, M.C.L., Attorney
Frankfurt am Main