On July 29, 2019, the European Court of Justice (ECJ) issued its decision in FashionID (Case C-40/17), determining that website operators are jointly liable with plugin providers for data collection and transmission through social media buttons and other embedded plugins. Although the ECJ found the operator and plugin provider to be jointly liable, the court placed the burden on the website operator to provide notice and, where necessary, obtain consent for the joint activity. Further, the court found the plugin provider to be independently responsible for any subsequent use of the data. The decision will likely prompt regulators to closely scrutinize the use of third-party plugins.

Background

A German consumer union brought a claim against online retailer FashionID for failing to provide notice and obtain consent for data collection and processing through Facebook "Like" buttons embedded in FashionID's website. The Facebook "Like" button transmitted data to Facebook even before a visitor clicked on it and irrespective of whether the visitor held a Facebook account. The German court asked the ECJ to decide whether embedding a third-party plugin in a website makes the website operator a controller for the collection and processing of visitor data by the plugin provider and how General Data Protection Regulation (GDPR) obligations regarding a legal basis for processing and for providing notice apply when embedding third-party plugins.

Website Operator and Plugin Providers Are Joint Controllers

The ECJ fleshed out the concept of joint control by analyzing a processing activity as a set of individual processing operations and then assessing which entity determines the purposes and means for each operation. According to the ECJ, organizations are joint controllers for those processing operations for which they jointly determine the purposes and the means, but organizations are not responsible for processing operations earlier or later in the chain, which they do not control.

When assessing the data processing implicated by Facebook "Like" buttons, the ECJ distinguished between the collection, transmission, and subsequent use of personal data. The court found that by integrating Facebook's code into its website, FashionID has made the decision to allow the collection and transmission of personal data to Facebook. The court further noted that FashionID derives an economic benefit from the collection and transmission of personal data through optimizing advertisements and increasing its visibility on the Facebook platform.. In light of these considerations, the court concluded that FashionID and Facebook are joint controllers for the collection and transmission of personal data. However, the court also concluded that FashionID does not have any control over the purposes and means of subsequent processing of personal data by Facebook, and is thus not a controller for that processing activity.

Website Operator Responsible for Notice and Consent

According to the ECJ, each joint controller involved in collection and transmission of personal data through the use of plugins should: (1) rely on a legal basis; and (2) provide notice to individuals about its processing. However, where the legal basis for the processing is consent, such consent must be obtained prior to the processing, and notice must be provided to individuals prior to collection. Consequently, since data is transmitted to Facebook as soon as the "Like" button is displayed, the ECJ concluded that the website operator must provide notice and obtain consent for the processing operations that it jointly controls with the third-party plugin provider (i.e., the collection and transmission of data). The website operator, however, does not bear notice and consent obligations for any subsequent use of the data by that plugin provider.

The court made some interesting observations regarding the legal basis for processing. In particular, the ECJ did not state that consent is the only possible legal basis for the collection and transmission of data in the context of Facebook "Like" buttons, and implied that an alternative legal basis—the "legitimate interest" legal basis—can be used instead.

What About Cookies?

The ePrivacy Directive 2002/58 (as amended) requires consent to store or access personal or non-personal data on a user's device. With limited exceptions, storing or access to information is subject to prior opt-in consent. The ECJ did not determine whether the Facebook "Like" button involves such storing or access, but left it to the national court to make this assessment and determine whether such consent would be required under the e-Privacy rules. The ECJ did not state whether such consent should be obtained by the website operator, by the third-party plugin, or by both.

Conclusions and Implications

This long-awaited decision confirms the current trend in EU data protection law to consider companies to be joint controllers when they are involved in the same processing activity. However, the ECJ placed some significant limits on this trend: Website operators are only joint controllers for the processing operation for which they actually determine the purposes and the means, but not for the further processing by the plugin providers. The European Data Protection Board is working on updating to the Working Party 29 Opinion on the concept of controller, and it will be interesting to see how it interprets these limitations.

While the ECJ landmark decision placed the burden to provide notice and, where necessary, obtain consent for collection and transmission on the website operator, it clarified that plugin providers and website operators are joint controllers with regard to that processing operation. This means that the plugin provider will remain jointly liable to provide notice and obtain consent, despite not having a direct relationship with individuals.

This decision will have significant impact on the use of cookies and similar technologies by website operators and plugin providers, and related market practices. As recently reported in various WSGR Data Advisor blog posts, European data protection authorities are currently reviewing their existing guidance on the use of cookies and similar technologies for online behavioral advertising (see our posts on the CNIL and the ICO) and market practices are in flux.

In light of this ECJ decision, website operators and plugin providers should consider taking some compliance steps:

• Website operators should: (1) Identify and assess their use of third-party plugins in websites and apps; (2) review their notice and consent strategy for data collected through plugins; and (3) review the data protection terms in contracts with plugin providers.
• Plugin providers should: (1) Review their notice and consent strategy for data collected through plugins; (2) revise their data protection terms in contracts with website operators to allocate responsibility between the company and the website operator; and (3) monitor website operators' compliance with contractual consent obligations.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues in Europe and beyond, and will monitor closely developments related to adtech in Europe. For more information, please contact Cédric Burton, Jan Dhont, Laura de Boel, Lore Leitner, Nikolaos Theodorakis, Lydia Parnes, Chris Olsen, or another member of the firm's privacy and cybersecurity practice.

Bastiaan Suurmond and Rossana Fol contributed to the preparation of this alert.