Responsibilities for 'Like' button data protection clarified

Out-Law News | 15 Aug 2019 | 11:09 am | 4 min. read

Businesses that deploy social media 'plug-ins' on their websites are partly responsible for how personal data gathered from the use of those tools is processed, the EU's highest court has said.

The Court of Justice of the EU (CJEU) clarified website operators' obligations under data protection law when personal data is collected through their use of social media plug-ins in a case referred to it by a court in Germany. The German court asked the CJEU to help it clarify online clothing retailer Fashion ID's obligations under data protection law in relation to the processing of personal data deriving from it embedding the Facebook 'Like' button on its website.

The CJEU's ruling concerned the court's interpretation of EU data protection laws which have now been replaced by the General Data Protection Regulation (GDPR). The ruling is nevertheless still relevant to companies embedding social media plug-ins on their websites today as the GDPR has built on and strengthened the provisions from the EU's old data protection law that were relevant in this case.

Like many businesses, Fashion ID embedded the social media plug-in on its website to encourage consumers to publicise their interaction with its brand on the social network. By doing so, however, the retailer became responsible for the collection and subsequent disclosure of that data to Facebook, the CJEU suggested. The CJEU left it up to the Higher Regional Court in Düsseldorf to confirm this point.

The CJEU considered that the data gathered from the tool is processed "in the economic interests of both Fashion ID and Facebook Ireland". This is because Fashion ID seeks to derive a "commercial advantage" from the associated increased publicity for its goods and because Facebook is able to use the data collected from the tool and transmitted to it for its own commercial purposes, it said. Ireland is where Facebook has its European headquarters.

The CJEU suggested that Fashion ID and Facebook Ireland can be considered joint data controllers in respect of the personal data collected and then disclosed from the 'Like' button on Fashion ID's website. That finding means that Fashion ID and other businesses embedding social media plug-ins on their websites have certain obligations under EU data protection law, the CJEU said.

The court clarified, however, that liability is "limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue [to Facebook]". Fashion ID is not responsible for how personal data derived from the social media plug-in is processed by others once it has transmitted the information to Facebook, it said.

Businesses embedding social media plug-ins need to provide website visitors with certain information concerning their processing of data deriving from the use of the plug-ins, the CJEU said. That information must include the identity of the data controllers, details of the purposes of the data processing and further information such as the an explanation of the rights of data subjects to access and rectify the data processed about them and a list of businesses or types of businesses to whom the data may be disclosed, according to the court.

The court's findings on the transparency requirements should also be considered in light of the GDPR which emphasises that data subjects should be informed about what data controllers and any third parties will do with the personal data collected about them. Businesses embedding plug-ins need to explain in their terms and conditions or privacy policy that users interacting with the plug-ins will have their data transmitted to the social media provider and provide some details of the third parties the data could also be shared with if that is indeed the case.

The CJEU also explained that businesses embedding social media plug-ins also need to have a legal basis under data protection law for collecting and disclosing the personal data from using such tools, even in the context of their limited liability for that data. The court examined two legal bases that could be relied upon by the organisations in its ruling, being consent and legitimate interests.

The CJEU said that businesses could rely on the consent of data subjects to collect and then disclose their personal data from social media plug-ins. It is not necessary for those organisations to obtain consent for how that data may be subsequently used by the social media companies behind the plug-in software or any other third parties.

Alternatively the other lawful basis for processing personal data is where businesses have a so-called 'legitimate interest' in processing the data and their interests in pursuing the processing do not unduly prejudice the rights and freedoms of individuals.

The CJEU explained in its ruling that the 'legitimate interest' ground for processing personal data gathered from social media plug-ins would only be able to be relied upon if both the business embedding the tool and the social media company receiving the data were both pursuing a legitimate interest.

While the CJEU provided guidance on the steps businesses embedding social media plug-ins need to do to meet their obligations under data protection law, the ruling was silent on the steps businesses should take to meet their obligations under 'e-Privacy' laws, which apply when cookies are used to gather data from internet users' devices;  cookies often sitting at the back of the plug-ins and are the means by which the data is actually collected.

A court in Belgium has already considered that rules on the use of cookies are pertinent to cases where social media plug-ins are embedded on websites in a case that has subsequently gone to the CJEU for a ruling on separate issues concerning jurisdiction and regulatory powers. Both the UK's Information Commissioner's Office (ICO) and French authority CNIL have issued updated guidance recently on the use of cookies in the GDPR era, marking a need for businesses to change previously acceptable practices – in particular around consent to cookies. A new EU e-Privacy Regulation has been envisaged and could further alter the standards of compliance around cookie use.

Data protection law expert Claire Edwards of Pinsent Masons, the law firm behind Out-Law, said that the CJEU's ruling in the Fashion ID case should therefore not be seen as detailing all the issues website operators must address to ensure compliance with information laws when embedding social media plug-ins. Where the plug-in uses cookies or similar technology to collect information then, save where such collection is used to enable necessary functionality, this will require the consent of the data subject, she said.