In a previous article, we reported that in case of using certain Facebook services, administrators of Facebook pages might be considered as data controllers – a fact they are not always aware of. A recent judgment of the European Court of Justice contains important findings for website operators.
Nowadays, it’s hard to come across a website that is not linked to the largest social networking site. Most operators take advantage of the ability to allow their visitors to like their Facebook page directly through the site or to share the content of the website on Facebook by a single click.
According to the facts of the ECJ case, Fashion ID GmbH & Co, an online clothing store in Germany, placed a Facebook “Like” button on its website. This has resulted in the transfer of personal data of website visitors to Facebook, regardless whether they had clicked on the “Like” button. The operator failed to comply with its obligation to provide information to data subjects as the transmission of the data took place without the knowledge of the data subjects.
In the trial initiated by Verbraucherzentrale NRW, a German public-service association for safeguarding the interests of consumers, the Higher Regional Court of Düsseldorf, Germany requested the Court of Justice to interpret the law.
The Court established that Fashion ID was a joint controller with Facebook Ireland in respect of the operations involving the collection and disclosure by transmission to Facebook Ireland of the data at hand, since it can be concluded that Fashion ID and Facebook Ireland determined jointly the means and purposes of those operations.
The Court clarified that the operator of a website as a (joint) controller in respect of certain operations involving the processing of the data of visitors must provide, at the time of their collection, certain information to those visitors such as, for example, its identity and the purposes of processing.
The Court specified that the operator of a website must obtain prior consent in respect of operations where it qualifies as a joint controller, namely the collection and transmission of the data.
Furthermore, with regard to the cases in which the processing of data is necessary for the purposes of a legitimate interest, the Court found that each of the joint controllers, namely the operator of a website and the provider of a social plugin must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in respect of each of them.