Data Privacy HubOn 29 July 2019, the CJEU handed down a judgment in Case C-40/17, Fashion ID. The judgment touched on issues relating to consent in situations where there may be multiple controllers; in that sense it built upon the previous judgment handed out in Case C‑210/16, Wirtschaftsakademie in 2018, when the court interpreted that the definition of ‘controller’ needs to be interpreted broadly.
The facts of the case centre around the online retailer ‘Fashion ID’, and its inclusion of a Facebook ‘Like’-button plugin on its website. A consumer organisation, Verbraucherzentrale NRW, criticised Fashion ID for the use of this ‘Like’ button as its inclusion on their website means that personal data is collected and transferred to Facebook without getting consent and providing transparency. The CJEU confirms that transmission of personal data from the website to Facebook occurs regardless of whether the user is a Facebook member or not, and regardless of whether they have clicked on the ‘Like’ button.
In defending against that claim, Fashion ID asserted that it was not a controller as it had no influence either over the data transmitted by the visitor’s browser from its website or over whether and how Facebook makes use of the data transmitted through the ‘Like’ button.
The CJEU found that by embedding Facebooks ‘Like’ button, Fashion ID made it possible for Facebook to obtain personal data of visitors to its website. This echoes the judgment in the Wirtschaftsakademie case [link to page] where, by creating an opportunity for another data controller to collect personal data, the website itself also becomes a joint controller.
However, the CJEU noted that Fashion ID was capable of deciding (together with Facebook) only how and for which purposes the personal data of its site visitors is passed onto Facebook; not what happens to the personal data after that point. Therefore, it can be considered a joint controller only with respect to the collection and transmission of data to Facebook but not for any further processing actions undertaken by Facebook once that data has been transmitted to Facebook.
Answering another question from the referring Court, the CJEU also touches on the question of which party is responsible for requesting consent for the collection and transmission of personal data in a situation as described in the case. The CJEU here reasons that it must be the operator of the website (the first party) that gets consent on behalf of the provider of the social plugin (the third party), because it is the visitor entering the website that triggers the collection and transmission of the personal data.
That consent only relates to the processing activities that the website operator has control over, however - i.e. the collection of and transmission of information. Consent for other processing purposes needs to be given to the provider of the social plugin, in this case Facebook.
While the present case concerned Facebook’s ‘Like’ button, the CJEU attempted to interpret the facts of the case in a technologically neutral manner - meaning that the ruling applies to situations where a website operator embeds “a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider the personal data of the visitor”.
Some might interpret this as being analogous to digital advertising banner placements - which technically could similarly be defined as content that is requested by the website operator from a third party through an ad server. Moreover, in the sense that this ruling affects how the definition of ‘controllers’ is to be interpreted, it could be reasonably argued that in any case where a website operator helps other organisations collect data about site visitors (i.e. by allowing vendors to place cookies on their page), they are inherently considered joint controllers because they make it possible for those third parties to collect information there.The bottom line is that this judgement more or less confirms that publishers are joint controllers with their ad tech and data partners. As a result of this, they are also in charge of gaining consent on behalf of third parties when it comes to allowing the collection and disclosure of personal data on their website by those third parties.
