The Facebook like button from a privacy law perspective
On 29 July 2019, the Court of Justice of the European Union (CJEU) released its judgement on its latest data protection legislation[1] court case involving the Facebook Like button which is incorporated on a third party website. Such social plug-ins allow the transfer of personal data of website visitors, such as their IP address or browser.
The Case
An online fashion retailer embedded the Facebook Like button on its website. When a user visited the retailer’s website, their personal data would automatically be transferred to Facebook Ireland regardless of whether the visitor was a Facebook user or had clicked on the Like button. Furthermore, this personal data was transferred without informing the website visitor or obtaining their consent.
The CJEU decided that the online retailer could not be regarded as a ‘controller’ for the processing of personal data as operated by Facebook Ireland after the transmission had taken place, as the retailer could not determine the purposes and/or means of that processing activity, which are key elements for the qualification as a ‘controller’.
However, the CJEU does consider the online retailer a ‘joint controller’ together with Facebook Ireland for the collection and disclosure of personal data. Hence, the CJEU concluded that both Facebook Ireland and the online retailer jointly determine the means and purposes of the operations involving the processing of personal data.
The CJEU argues that, by embedding the Like button, the online retailer has (implicitly) consented with the collection and disclosure by transferring the personal data of its website visitors. There are economic interests in the processing activities established for both parties as (i) the retailer gains more visibility by embedding the Like button, and (ii) Facebook Ireland can use the collected personal data for its own commercial purposes. Hence, the qualification of both parties has led to a joint-controllership.
Lastly, if ‘legitimate interest’ is used as the legal basis to process personal data, each joint controller needs to pursue a legitimate interest for each processing activity. Thus, a legal basis (e.g. legitimate interest or consent) needs to be present for the transfer of personal data between two joint controllers.
[1] The previous data protection legislation (‘EU Directive 95/46’) applied to the underlying case as the GDPR had not yet entered into force on the date of the facts.