Blog
Blog » THE FACEBOOK “LIKE” BUTTON AND WHAT LIES BEYOND – LUXEMBOURG RULED
THE FACEBOOK “LIKE” BUTTON AND WHAT LIES BEYOND – LUXEMBOURG RULED
21 August 2019
Before the summer break the Court of Justice of the European Union made a decision in a data protection related matter which concerned Facebook as well. The decision may be interesting and useful for everybody who embeds of his website the Facebook “Like” button. In our short article we summarize the most important findings of the Court.
1. The illustrious „Like” button the webpage of Fashion ID
Fashion ID is a German online clothing retailer who embedded on his website the Like social plugin of Facebook.
Embedding the Facebook „Like” button on a webpage basically means that the personal data of the visitors of the that webpage (IP address, browser data) will be transmitted to Facebook.
In relation with the transmission of the data it is irrelevant whether the webpage visitor clicks the “Like” button or not or whether he is a Facebook member or not. That means that someone’s data will be transmitted to Facebook if he visited a webpage on which the Facebook “Like” button was embedded.
2. The consumer protection strikes back
The Verbraucherzentrale NRW, a German association tasked with safeguarding the interest of consumers could not remain indifferent to the fact that the data of the visitor of Fashion ID’s webpage will be obtained by Facebook without the knowledge of the webpage visitor.
That is why Verbraucherzentrale NRW decided to sue Fashion ID to force it to stop that practice. The first instance court party decided in the favour of Verbraucherzentrale NRW but Fashion ID appealed the decision, furthermore Facebook also intervened in the appeal.
In the appeal procedure the court decided that it is necessary for the Court of the European Union to decide in certain data protection related matters thus he requested a preliminary ruling.
3. The main data protection related question and the decision of the Court
The most important data protection related question of the case was whether the operator of a webpage who embeds on his webpage a social plugin which transmits data to the provider of that social plugin can be considered as controller despite that he is unable to influence the processing of the data transmitted.
When examining the question, the Court divided the data processing activities into to categories: to the data processing until the transmission and after the transmission of the data to Facebook. it can be established that after the transmission of the data Fashion ID does not have any influence on the data processing. By contrary, in relation with the collection of the data by the webpage and their transmission to Facebook it may occur that Fashion ID determine the purposes of the processing jointly with Facebook.
Indeed, embedding the “Like” button may provide more publicity to Fashion ID while it may be beneficial to Facebook that he may be able to use the collected data for his commercial purposes. This means that the data processing is carried in the economic interests of both parties, for their jointly determined purpose which could be the basis of them being joint controllers. Further, the fact that Fashion ID does not have access to the collected and transmitted data does not preclude him from being a controller.
4. What are the consequences of being joint controllers?
Given the fact that in relation with the collection and transmission of the personal data to Facebook Fashion ID could be considered as a (joint) controller, by the time of the collection of the data he shall inform the webpage visitors about the data processing activities.
This is particularly important since those people can also visit Fashion ID’s webpage who are not members of Facebook and do not have a Facebook account. Regarding those people the liability of Fashion ID as the webpage operator is even higher.
In fact, basically it is Fashion ID who is in the position to inform the data subjects about the circumstances of the data processing by placing a privacy notice on his webpage and especially about the fact that the mere consulting of the webpage will result in a data transmission to Facebook.
5. Lesson learnt
The basic lesson is that the capacity and liability of (joint) controllership can be based on the joint determination of the processing purposes, for example the common economic interest of the controllers. The capacity of being a controller is independent of the fact whether the controller has access or not to the data.
In brief: if you have influence on the purpose of the processing you may be considered as a controller even if you do not store or do not have access to that data.
As a rather specific lesson you should bear in mind that in case you embed on your webpage the Facebook “Like” button you may be considered as a joint controller together with Facebook and you need to inform the visitors of your webpage that their data will be transmitted to Facebook.
-
CJEU DECISION IN A GDPR-RELATED CASE: DOES THE VIOLATION OF THE GDPR AUTOMATICALLY CONSTITUTE NON-MATERIAL DAMAGE?
Does the infringement of the data subjects’ rights by the controller give automatically rise to compensation? Can the controller be exempted from liability solely on the basis that the damage was the result of the fact that its employee did not comply with its instructions? What are decisive criteria to determine the amount of damages? In this article we analyse the fresh decision of the CJEU which addressed the previous questions.
Read more » -
HUNGARY – PERSONAL SCOPE EXTENSION OF JURISDICTION CLAUSE TO NON-SIGNATORY UNDER BRUSSELS IBIS
Does the principle of independence of the choice-of-court agreement require that parties shall expressly transfer the dispute resolution clause in case of transfer of the main contract? When can the personal scope of a jurisdiction agreement be extended to a non-signatory? A Hungarian appellate court decided upon these questions under the Brussels Ibis Regulation in a recent judgment
Read more » -
SETTING ASIDE ARBITRAL AWARDS IN HUNGARY
Given that there is no right of appeal in arbitration proceedings, it is important to be aware of what other legal remedies are available to you against an arbitral award. According to the Hungarian Arbitration Act, the parties may request the competent state court to set aside the award, which is a “mandatory” remedy, which cannot be waived by the parties in advance.
Read more »