The case is a continuation of the CJEU’s shift in placing responsibility on businesses under European data protection law. In last year’s decision, Wirtschaftsakademie Schleswig-Holstein (case C-210/16), the court concluded that an administrator of a Facebook fan page will be considered a joint controller with Facebook for some processing activities (read more here). In the recent Fashion ID case, the CJEU seems to uphold a low threshold for constituting joint controllership.
The background for the present case is a lawsuit in Germany, where a German consumer body sued Fashion ID GmbH & Co. KG, a German online fashion retailer, for breaching data protection rules by using Facebook Like buttons on the retailer’s website. The placement of the Facebook Like button causes a visitor’s personal data to be automatically transferred to Facebook once the visitor’s browser has loaded the Fashion ID website. This happens irrespective of the user clicking the ‘Like’ button or having a Facebook account.
Upon handling the lawsuit, the German court subsequently sought guidance with the CJEU in relation to several questions in the case. In CJEU’s ruling, Fashion ID as a website operator was considered a joint controller with Facebook regarding Facebook’s collection and processing of personal data in relation to the Facebook Like button. The reasoning of the court is that the website operator participates in the determination of the purposes and means of Facebook’s processing activities. This is the case even though the website operator itself does not have access to the data that is being collected and processed by Facebook through the placement of the Facebook Like button.
The parties’ responsibilities as joint controllers
As a joint controller, the court holds the website operator responsible for several matters. Firstly, the website operator must have a legal basis in order to process and transfer website visitors’ personal data. Further, the website operator is required to collect consent where necessary under the ePrivacy Directive, in order to use such social media plug ins lawfully. Thirdly, the website operator must also inform visitors in a transparent way about the processing activities relating to the website visitors’ personal data, hereunder the use of social media plug ins.
However, the court emphasizes that assuming responsibility as joint controller with Facebook does not necessarily result in “equal responsibility.” Businesses must therefore conduct thorough analysis of the different processing stages and activities, in order to place responsibility with the right party. One aspect that the court does not address is the relationship between the parties in terms of liability.
The judgement has caused reactions from several stakeholders. The German consumer body argues that the conclusion is welcomed, as it forces companies that profit from user data to live up to their responsibilities. Others argue that the decision is problematic. Bitkom, Germany’s main technology industry association, states that the CJEU through this decision is “imposing enormous responsibility on thousands of website operators – from the small travel blog to the online megastore, as well as the portals of major publishers”.
Although the judgment is based on Directive 95/46/EC, which was repealed by the EU General Data Protection Regulation (GDPR) on the 25th of May 2018, the basis for the finding, namely the notion of controllers, is intended to have the same meaning under GDPR.
What does the judgment mean for businesses?
The judgment underlines the need for businesses to evaluate their relationship with service providers/business partners with regard to processing of personal data. In practice, service providers tend to regard themselves as “independent controllers” rather than joint controllers, in order to avoid being exposed to added liability. This judgment, read in conjunction with similar cases in recent years, indicates that a joint controller situation may be inevitable in some cases where the activities of businesses are closely linked.
Businesses should therefore carefully assess the roles and responsibility for each processing activity. A joint controller situation will typically only be relevant for specific activities where the parties commonly determine the means and purposes of the processing. Under the GDPR, joint controllers are required to have an arrangement, typically through agreements and privacy statements, where they set out their respective responsibilities and the data subjects’ rights in a transparent manner. In many cases, such an arrangement would be necessary also for independent controllers, especially when it comes to regulating responsibilities and liability between the parties.
Businesses should also note the importance of ensuring transparency regarding the processing of personal data. Controllers must ensure that their customers are able to understand the privacy implications of using their services. This may require additional effort for joint controllers. Under such joint-controllership, businesses should make sure that they understand how their joint controllers make use of or otherwise handle personal data, since they can be held both responsible and liable for the other controller’s processing activities.