On July 29, 2019, the Court of Justice of the European Union (“CJEU”) adopted a judgment confirming the broad definition of the concept of “controller” under EU data protection law.
In the respective case, the CJEU addressed the actions of Fashion ID GmbH & Co. KG (“Fashion ID”), a German online clothing retailer, which embedded the ‘Like’ social plugin from the social network Facebook (‘the Facebook “Like” button’) on its website. The consequence of embedding such button appeared to be that when a visitor visited the website of Fashion ID, that visitor’s personal data were transmitted to Facebook Ireland Ltd (“Facebook Ireland”), without that visitor being aware of it and regardless of whether or not he or she was a member of the social network Facebook or had clicked on the ‘Like’ button.
In its judgement the CJEU found that an operator of a website, such as Fashion ID, that embeds on that website a social plugin causing the browser of a visitor of that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, can be considered to be a “controller”, namely jointly with the provider of the social plugin, in the respective case Facebook Ireland, and despite the fact that the operator of a website, such as Fashion ID, does not itself have access to the personal data collected and transmitted to the provider of the social plugin, such as Facebook Ireland. Namely, according to CJEU, by embedding that social plugin on its website, Fashion ID exerted a decisive influence over the collection and transmission of the personal data of visitors to that website to Facebook Ireland, which would not have occurred without Fashion ID embedding that plugin. It should, however, be noted that in CJEU’s opinion, the operator of a website, such as Fashion ID, cannot be considered to be a controller in respect of the operations involving data processing carried out by Facebook Ireland after those data have been transmitted to the latter.
The CJEU further made clear that the operator of a website such as Fashion ID, as a (joint) controller in respect of certain operations involving the processing of the data of visitors of its website, such as the collection of those data and their transmission to Facebook Ireland, also has certain obligations. The operator of the website thus has to obtain a (prior) consent of the data subjects and must provide them, at the time of collection, with certain information, e.g, its identity and the purposes of the processing. These obligations are, however, limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by the transmission of the data at issue.
Considering the abovementioned judgement of the CJEU, the operators of websites that embed a social plugin such as the ‘Like’ social plugin from the social network Facebook, are also bound by the EU data protection law and obligations thereby imposed on them.