The European Court of Justice in Case C-210/16, also known as the Fashion ID case, concerns the joint controllership relationship between Facebook and website operators that embed the Facebook “Like” button on their site. Fashion ID GmbH & Co. KG, an online fashion retailer had the Like button on its website. In order to better understand the case, it’s necessary to understand what plug-ins do. In practice, the presence of the Facebook plug-in comports that the IP address of the individual who visits the website will automatically be transferred to Facebook when the individual visits the given website, in this case, that of Fashion ID. It’s important to note that this happens even if the visitor doesn’t click the “like” button and that Facebook also placed cookies including session, datr and fr cookies on the device of the visitor.
Verbraucherzentrale NRW e.V., a German consumer protection organization believed that the plug-in on Fashion ID’s website violated the data protection law of the time (this was before the GDPR went into force) and therefore brought the case to court. The competent court, however, requested the CJEU to answer with respect to the question of joint controllership, among others.
Advocate General Bobek already, in his 19 December 2018 opinion, stated that he considered Fashion ID to be a joint controller together with Facebook, though he stated that “its liability being limited however to a specific stage of the data processing”.
In the final Decision, the CJEU indeed determined that Fashion ID was not a controller in respect to the data processing carried out by Facebook as Fashion ID does not determine the means and purposes of processing. It ruled, however, that Fashion ID was a joint controller with Facebook concerning the collection and disclosure by transmission of visitor data to Facebook as they jointly determine the means and purposes of such operations. Being a joint controller brings with it certain responsibilities, such as providing adequate information to the visitors of the website at the time their data are collected, including both the purposes of processing and its identity. Furthermore, Fashion ID as a joint controller is required to obtain prior consent with respect to the processing for which it is a joint controller (for the collection and transmission of the data to Facebook).
“(101) In the present case, while the operator of a website that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider the personal data of the visitor can be considered to be a controller, jointly with that provider, in respect of operations involving the collection and disclosure by transmission of the personal data of that visitor, its duty to obtain the consent from the data subject under Article 2(h) and Article 7(a) of Directive 95/46 and its duty to inform under Article 10 of that directive relate only to those operations. By contrast, those duties do not cover operations involving the processing of personal data at other stages occurring before or after those operations which involve, as the case may be, the processing of personal data at issue.”
Importantly, the court noted that the fact that Fashion ID has the Facebook button embedded on its website allows it to “optimize the publicity for its goods by making them more visible on the Facebook social network when a visitor to its website clicks on that button.” It can be concluded that Fashion ID therefore has consented to such transmission to Facebook as doing so was advantageous for the company and therefore “those processing operations appear to be performed in the economic interests both of Fashion ID and of Facebook Ireland, for whom the fact that it can use those data for its own commercial purposes constitutes the consideration for the benefit to Fashion ID.”
Concerning legitimate interest, the Court found that “each of the (joint) controllers, namely the operator of a website and the provider of a social plugin, must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in respect of each of them.”