In its decision of July 29, 2019, the ECJ July 2019 (Rs. C-40/17) has once again taken a position on data protection law and confirmed the arguments of consumer protection organizations. According to the judges, the operator of a website is responsible for both collecting and The provider is generally responsible for forwarding the personal data of visitors to its website. If a Like button is provided, there may be joint responsibility with Facebook & Co.
Consumer advocates saw several data protection violations
The lawsuit was brought by Verbraucherzentrale NRW e.V. against Fashion ID GmbH & Co KG. The latter had installed the Facebook “Like” button on its website. Through this Social plugin, the personal data of all visitors to the website was automatically forwarded to Facebook. This happened regardless of whether they used the “Like” button or were even a member of Facebook.
The consumer advocates wanted to prevent this. They saw the integration of the social-plugins, Fashion ID had committed several breaches of data protection law. Fashion ID did not provide sufficient information about the collection and transfer of data and did not have the user’s consent for this.
Joint responsibility (only) until forwarding
In their decision, the judges emphasize decision on the one handthat the operators of a website together with the provider of a social plugins are responsible for the collection and transfer of personal data to the provider. On the other hand, the website operator is no longer responsible if the data is collected exclusively by the provider of the social plugins and processed there.
The reason for the prior joint responsibility is, on the one hand, that both the website operator and the provider of the social plugins have and pursue their own economic advantages from these two data processing activities. On the other hand, the website operator also decides on the means and purpose of data processing, as it is up to them to decide which social plugins on its website and how exactly.
In practice, “joint controllership” is likely to encounter both minor and major problems. Art. 26 GDPR stipulates, among other things, that the
The agreement must duly reflect the actual functions and relationships of the joint controllers vis-à-vis the data subjects. The substance of the agreement shall be made available to the data subject.
Legitimate interest must exist for all responsible parties
In addition, the ECJ also commented on the possible legal bases for data processing. Specifically, it deals with the possibility of users’ prior consent and the invocation of a legitimate interest.
If website operators rely on a legitimate interest as a legal basis, the Luxembourg judges emphasize that this must be examined and present for all (co-)controllers. It is not sufficient for only one of the controllers to be able to rely on a legitimate interest.
The examination of a “legitimate interest” within the meaning of the GDPR basically takes place in three stages:
- Legitimate interest: Is there an interest pursued by the controller and/or by the third party or parties to whom the data are disclosed?
- Necessity: Is the processing of personal data necessary for the realization of the legitimate interest?
- Interest of the data subject: Are the fundamental rights and freedoms of the data subject (not) overriding?
Obligation to obtain the consentand informing users also applies to the website operator
If a legitimate interest cannot be demonstrated, consent to use would be conceivable. The user’s consent must include the processing operations for which the website operator is also (jointly) responsible. Specifically, this means the collection and forwarding of data to Facebook.
For the data processing, that takes place on Facebook itself, the website operator is no longer responsible and therefore does not have to obtain consent for this. This is the sole responsibility of Facebook.
However, in addition to the obligation to obtain consent, the operator of a website is also obliged to inform users about the data processing accordingly. Again, this is limited to data processing operations for which the operator can determine the means and purposes.
ECJ remains true to its line: website operators’ responsibility under data protection law must be taken seriously
Dhe Luxembourg judges have thus obviously taken the questions referred as an opportunity to continue their previous case law on data protection law.
The ECJ ruled just last year, that operators of a so-called Facebook fan page are also jointly responsible with Facebook under data protection law. The current ruling is therefore to be understood as a consistent continuation of this earlier decision and once again emphasizes the responsibility of website operators under data protection law.
In doing so, the ECJ is also following the recommendations of Advocate General Michal Bobek of December 19, 2018. The latter had also assumed joint responsibility for website operators and social-media service providers.
Decision on the GDPR and other services transferable
The decision of the ECJ was still issued on the basis of the old Data Protection Directive (Directive 95/46/EC). The decision should be transferred to the current legal situation without major problems can. Die Begriffe des “Verantwortlichen”, die Möglichkeiten zur rechtmäßigen Verarbeitung personenbezogener Daten sowie die grundlegenden Informationspflichten wurden aber auch in der neuen Datenschutz-Grundverordnung (DSGVO) in vielen Punkten übernommen.
Furthermore, the decision of the ECJ in principle also applies to other providers of social media plugins, e.g. Instagram, Twitter, YouTube, Pinterest, Xing or LinkedIn. But not only thatThe collection and forwarding of personal data from users of a website to third parties also traditionally takes place with many analysis services, such as Google Analytics. In these cases, tootherefore joint responsibility be examinedn.
In principle, a similar decision can be expected for cookies. The Advocate General has already executed.