On July 29, 2019, the Court of Justice of the European Union (“CJEU”) handed down its judgment in the Fashion ID case (Case C-40/17).   The CJEU found that when a website operator embeds Facebook’s “Like” button on its website, Facebook and the website operator become joint controllers. The case clarifies the relationship between website operators and social networking sites whose plug-ins are embedded into websites for user tracking and online marketing purposes.  The ruling is expected to influence the contractual terms that companies will need to have in place when embedding such social plug-ins to their websites, and may also have ramifications for adtech practices more generally.

The Fashion ID case arose out of a 2015 complaint made by a German consumer protection association, Verbraucherzentrale NRW, against an online clothes retailer, Fashion ID, which embedded Facebook’s “Like” button on its website.  Facebook’s “Like” button is a social plug-in that allows website users to click the “Like” button to show on their Facebook profile that they “like” a certain product or service.  Websites use this plug-in to optimize their advertising on Facebook so that targeted ads can be shown to people who “like” their products.

Websites with the “Like” button collect information (e.g., IP addresses and browser string data) about not only the people who click the “Like” button, but also other website users who do not click the button, as well as  those that do not have a Facebook account.  This data is then transferred to Facebook.

The complaint filed by Verbraucherzentrale NRW alleged that Fashion ID’s use of the Facebook “Like” button breached EU data protection law because Fashion ID failed to appropriately inform users and obtain their consent to transfer personal data to Facebook.  The complainant sought an injunction by the court to order Fashion ID to stop using the functionality.

The Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf,

Germany) referred the matter up to the CJEU, asking a number of questions seeking clarification as to several provisions of the Data Protection Directive 95/46/EC (which continue to have relevance under the EU’s General Data Protection Regulation), most notably:

  1. Can Member State laws implementing the Data Protection Directive allow consumer protection organisations to lodge data protection claims on behalf of affected individuals?

The CJEU decided that the provisions of the Data Protection Directive on “judicial remedies, liability and sanctions” give Member States the freedom to determine the “appropriate means” to ensure their application, which could extend to allowing consumer protection organizations to act on behalf of individuals whose data privacy rights have been impinged.  The CJEU also mentioned that this redress mechanism is now explicitly provided for under Art. 80 of the GDPR.

  1. Is the website (i.e., Fashion ID) a “joint controller” in relation to the data that Facebook collects about users?

Significantly, the CJEU decided that Fashion ID and Facebook are “joint controllers” in relation to Facebook’s collection and sharing of personal data.  According to the CJEU, by embedding the plug-in on its website, Fashion ID is “influencing” the collection and sharing of data and is “at least tacitly” consenting to it.  The CJEU decided that Fashion ID’s responsibility is most apparent in situations where users do not have an account with Facebook, but their data is nonetheless shared with Facebook as a result of accessing Fashion ID’s website.  The CJEU also determined that Fashion ID’s lack of access to the data is irrelevant when assessing “joint controllership” (consistent with earlier CJEU cases C-210/16 and C-25/17).

However, the CJEU clarified that although the term “controller” should be given a broad interpretation, an organization cannot be held responsible for upstream or downstream processing operations in the processing chain for which it does not determine the purpose or the means of processing.  In this regard, the CJEU held that Facebook (not Fashion ID) is the controller for the processing that takes place after the personal data related to the “Like” plug-in has been transferred to Facebook.

  1. Can Fashion ID and Facebook rely on their legitimate interests to collect and share personal data?

The CJEU did not give a clear answer to this question, but merely stated that both Fashion ID and Facebook would need to establish a legitimate interest, if they were intending to rely on this legal basis. 

  1. Who has responsibility to (i) provide notice to users about how the data is collected and used and (ii) to collect consent from the users?

The CJEU decided that it is the website operator’s responsibility to provide notice to users and to obtain their consent.  However, the website operator only needs to inform users and obtain their consent for processing operations for which it is a “joint controller”.

This ruling mirrors the court’s findings in the Wirtschaftsakademie case (Case C-210/16), where the CJEU found that Wirtschaftsakademie, which offers educational services through a fan page hosted on Facebook, was a joint controller with Facebook for the processing of user website usage data through the “Facebook Insights” tool.  The CJEU’s reasoning in both cases provides useful guidance on how the court identifies “controllers” and “joint controllers” in data sharing relationships.  The CJEU’s findings suggest that companies using third party tools (e.g., cookies, plug-ins and other website analytics tools) to increase their online visibility may need to ramp up their disclosures to website users and strengthen the contractual terms they have in place with their advertising partners.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Sam Jungyun Choi Sam Jungyun Choi

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous…

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous vehicles. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Sam advises leading technology, software and life sciences companies on a wide range of matters relating to data protection and cybersecurity issues. Her work in this area has involved advising global companies on compliance with European data protection legislation, such as the General Data Protection Regulation (GDPR), the UK Data Protection Act, the ePrivacy Directive, and related EU and global legislation. She also advises on a variety of policy developments in Europe, including providing strategic advice on EU and national initiatives relating to artificial intelligence, data sharing, digital health, and online platforms.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.