What is the Cost of a “Like”? (Case no. C-40/17 – Fashion ID)

What is the Cost of a “Like”? (Case no. C-40/17 – Fashion ID)

Author: Tamara Staric Petrovic, SELIH & PARTNERJI Law Firm

The development and widespread use of the online social network Facebook (hereinafter “Facebook”) has changed not only the dynamics of social relationships, but also – together with other online platforms and tools – the manner in which enterprises advertise their business. More and more companies are adopting new advertising strategies that focus primarily on product recognition. Given its popularity, Facebook is proving to be an ideal platform for businesses (especially online traders) to pursue such strategies with little investment – at least at first glance.

Linking online stores to content on Facebook may have unintended consequences – especially in terms of consumer protection and (lately unavoidable) data protection law – as illustrated in the ECJ’s judgement in case C-40/17 of 29 July 2019 (hereinafter the “Judgement”)[1].

Background to the case and referral for a preliminary ruling

The facts are summarised in the Judgement as follows: The company Fashion ID GmbH & Co. KG (hereinafter “Fashion ID”) manages an online store selling fashion items. It embedded on its website the “Like” social plugin from Facebook, run by the company Facebook Ireland Ltd. The plugin is technically represented as a ‘like’ button. The consequence of installing such a plugin is that when a visitor visits Fashion ID’s online store, Facebook automatically and without any further action from Fashion ID receives the visitor’s IP address and its browser’s technical data. The data are sent regardless of (i) whether the visitor clicks on the like button, (ii) whether the visitor in question is a user of Facebook or not, and (iii) the fact that the visitor neither is aware nor has consented to such transfer of their personal data to Facebook. Fashion ID is not involved in determining the purposes for which the visitor’s data are collected by Facebook nor the manner in which they are processed once they are in Facebook’s possession, nor does Fashion ID have access to this data.

The German association for consumer protection (Verbraucherzentrale NRW e.V.) sought a cease and desist injunction against Fashion ID on the grounds that it was in breach of data protection legislation. The case was then referred for appeal to the Higher Regional Court in Düsseldorf, Germany (Oberlandesgericht Düsseldorf), which referred six questions to the ECJ in line with Art. 267 TFEU[2]. The questions deal with the interpretation of Articles 2, 7, 10, 22, 23 and 24 of Directive 95/46[3] and certain other provisions of the Directive on privacy and electronic communications[4].[5]

Directive 95/46 was repealed by the General Data Protection Regulation (hereinafter “GDPR”)[6] with effect as of 25 May 2018. However, since the factual background of the matter took place before the adoption of the GDPR, Directive 95/46 applies.

This article will focus primarily on three of the six questions referred (specifically, the second, fifth and sixth question), as these are considered to remain relevant in the new GDPR framework, namely:

  • “2. In a case such as the present one, in which someone has embedded a programming code in his website which causes the user’s browser to request content from a third party and, to this end, transmits personal data to the third party, is the person embedding the content the “controller” within the meaning of Article 2(d) of Directive 95/46 if that person is himself unable to influence this data-processing operation?
  • To whom must the consent to be declared under Articles 7(a) and 2(h) of Directive [95/46] be given in a situation such as that in the present case?
  • Does the duty to inform under Article 10 of Directive [95/46] also apply in a situation such as that in the present case to the operator of the website who has embedded the content of a third party and thus creates the cause for the processing of personal data by the third party?”

Decision of the ECJ

When rendering the decision and arguing its position, the ECJ followed in whole the Opinion from 19 December 2018 of Advocate General M. Bobek[7], which refers predominantly to two recent judgements of the ECJ in the cases (i) Wirtschaftsakademie Schleswig-Holstein[8] and (ii) Jehovan todistajat[9].

The ECJ concluded the following[10]:

Question 2

The primary goal of Directive 95/46 and Art. 2(d)[11], which defines a controller, is to ensure, through a broad definition of the concept of “controller”, effective and complete protection of data subjects.[12] Some main characteristics of a controller are the following[13]:

  • it is a body (e., a natural or legal person, public authority, agency), which alone or jointly with others determines the purposes and means of the processing[14] of personal data. The controller will be pursuing its own goals which lead it to be interested in the processing of personal data;
  • the concept may also refer to multiple actors, taking part in particular processing, each subject to the applicable data-protection provisions;
  • in cases of joint responsibility for the same processing, Art. 2(d) of Directive 95/46 does not require each actor to have access to the personal data concerned.

A person may be regarded as a controller (jointly with others) only in respect of operations involving the processing of personal data for which it determines jointly the purposes and means. Conversely, such a person may not be deemed a controller under Art. 2(d) of Directive 95/46 with respect to any preceding or subsequent processing procedures, for which they do not determine the purposes and manners of processing.[15]

Regarding the liability of joint controllers, the ECJ again[16] emphasized that the existence of joint liability does not necessarily imply equal responsibility of various controllers engaged in the processing of personal data. Since some of the controllers may be involved at different stages of the processing and to different degrees, the extent of each joint controller’s liability must be assessed with regard to all the relevant circumstances of the particular case.[17]

In the present case, the ECJ thus concluded that Fashion ID may be deemed a joint controller under Art. 2(d) of Directive 95/46, though solely with respect to the collection and transfer to Facebook of the personal data of visitors to its online store. On the other hand, it cannot be deemed a controller with respect to any subsequent processing once Facebook possessed the data. By embedding the Facebook ‘like’ button on its website, Fashion ID has optimized the advertising of their products by increasing their visibility on Facebook. By embedding the button, Fashion ID at least implicitly consented to the collection and transfer to Facebook of personal data of visitors to its online store with the purpose of taking advantage of the commercial benefit conferred through the associated increased advertising of its goods. Such processing actions benefit commercially both Fashion ID and the company Facebook Ireland. The latter may use such personal data for its own commercial purposes, as payment for the benefits Fashion ID receives.

Questions 5 and 6

The essence of these two questions is (i) who is responsible for obtaining the consent to process personal data in the present case and (ii) who is responsible for providing information required under the relevant personal data protection legislation to the visitors of an online store in which a third party plugin is embedded: the administrator of such an online store (i.e., Fashion ID) or the provider of the plugin (i.e., Facebook)?

In responding to these two questions, the ECJ referred to its response in respect of question 2 – chiefly, that, in line with Art. 2(d) of Directive 95/46, the website operator will be deemed a controller if it embeds into the website a third party social media plugin that allows the browser used by a visitor to that website to request content from the third party provider of that plugin and to transfer to that third party provider personal data of the visitor. However, the liability of such controller is limited to the data processing procedure or set of procedures, for which that particular controller determines the purposes and manners of processing.

According to the ECJ, such a controller (in this case, Fashion ID) is obliged to:

  • obtain from visitors to its online store consent in line with Arts. 2(h)[18] and 7(a)[19] of Directive 95/46; and
  • provide visitors to its online store information under Art. 10[20] of Directive 95/46.

Such consent must be obtained and such information given before the collection and transfer of data subjects’ personal data takes place, since the processing is initiated immediately upon accessing Fashion ID’s online store.[21]

Furthermore, according to the ECJ, it appears that these two obligations will only arise with regard to the operation or set of operations involving the processing of personal data for which Fashion ID actually determines the purposes and means. Here, such an operation or operations would mean the collection and transfer of personal data to Facebook. These obligations on the contrary do not arise with regard to the processing of personal data at other stages of processing, whether preceding or following the aforementioned procedures, even though they may involve the processing of the same personal data. This would be the case once the data are with Facebook and Facebook determines the purposes and manners of processing.[22]

Conclusion

So what can companies and entrepreneurs (in particular SMEs) learn from the Judgement? Primarily, they should acknowledge that planning an advertising strategy will no longer solely involve the traditional considerations around marketing, statistics, conversions etc.  Rather, businesses must now also consider potential legal issues arising from and ensure a careful review of the terms and conditions of each online platform, plugin and online tool that they wish to incorporate into their advertising campaign.

As stated above, Directive 95/46 is no longer applicable. Nevertheless, the core questions, considered by the ECJ in the Judgement ­­- namely, the definition of a controller, and the obligations to obtain consent and provide information – have become perhaps more relevant since 25 May 2018 and the implementation of GDPR. The material definitions, principles of the processing of personal data and obligations of controllers and other subjects remain the same under the new framework. Meanwhile, some of the controller’s obligations have been defined in more detail, such as the information to be presented to data subjects before the processing is begun and before the subjects consent to the processing of personal data[23].

Last, but not least, the administrative fines for breaches of GDPR may now represent a material portion of a company’s revenues. Moreover, the company in breach would additionally be required to bring its ongoing business operations in line with GDPR, which will likely prove to be more complex and costly once these are already established.

A narrowly focused pursuit of brand recognition and “likes” may prove expensive for a business if it does not step back to consider legal compliance. Thus, before implementing any material changes in commercial operations, advertising, marketing and communications with users (and, more importantly, consumers), we advise every business to seek advice from experts in the relevant field.

 

[1] The text of the entire Judgement is available here.

[2] The Treaty on the Functioning of the European Union (OJ C 326, 26 October 2012, p. 47–390).

[3] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23 November 1995, p. 31–50).

[4] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (OJ L 201, 31 July 2002, p. 37–47).

[5] The original wording of all referred questions is available in para. 42 of the Judgment.

[6] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ 2016, L 119, p. 1).

[7] The Opinion is available at the same link as the Judgement.

[8] C‑210/16, EU:C:2018:388, judgement of 5 June 2018 (hereinafter “Wirtschaftsakademie Schleswig-Holstein“).

[9] C‑25/17, EU:C:2018:551, judgement of 10 July 2018 (hereinafter “Jehovan todistajat”).

[10] All conclusions are subject to a fact-finding procedure before the national court, which will determine the final facts of the case.

[11] “Controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.

[12] Judgement Wirtschaftsakademie Schleswig-Holstein, para. 28.

[13] Para. 67–69 of the Judgement.

[14] “Processing” shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (Art. 2(b) of Directive 95/46).

[15] Though without prejudice to potential civil liability, which national legislation may confer in this respect (the Judgement, para. 74).

[16] As explained previously in the judgement Jehovan todistajat, para. 66.

[17] Para. 70 of the Judgement.

[18] “The data subject’s consent” shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

[19] “Member States shall provide that personal data may be processed only if: […] (a) the data subject has unambiguously given his consent; or…”.

[20] “Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it: (a) the identity of the controller and of his representative, if any; (b) the purposes of the processing for which the data are intended; (c) any further information such as the recipients or categories of recipients of the data, whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply, the existence of the right of access to and the right to rectify the data concerning him in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.”.

[21] Para. 102 of the Judgement.

[22] Para. 100 of the Judgement.

[23] Please see Art. 13 and 14 GDPR.

Author: Tamara Staric Petrovic, SELIH & PARTNERJI Law Firm

The development and widespread use of the online social network Facebook (hereinafter “Facebook”) has changed not only the dynamics of social relationships, but also – together with other online platforms and tools – the manner in which enterprises advertise their business. More and more companies are adopting new advertising strategies that focus primarily on product recognition. Given its popularity, Facebook is proving to be an ideal platform for businesses (especially online traders) to pursue such strategies with little investment – at least at first glance.

Linking online stores to content on Facebook may have unintended consequences – especially in terms of consumer protection and (lately unavoidable) data protection law – as illustrated in the ECJ’s judgement in case C-40/17 of 29 July 2019 (hereinafter the “Judgement”)[1].

Background to the case and referral for a preliminary ruling

The facts are summarised in the Judgement as follows: The company Fashion ID GmbH & Co. KG (hereinafter “Fashion ID”) manages an online store selling fashion items. It embedded on its website the “Like” social plugin from Facebook, run by the company Facebook Ireland Ltd. The plugin is technically represented as a ‘like’ button. The consequence of installing such a plugin is that when a visitor visits Fashion ID’s online store, Facebook automatically and without any further action from Fashion ID receives the visitor’s IP address and its browser’s technical data. The data are sent regardless of (i) whether the visitor clicks on the like button, (ii) whether the visitor in question is a user of Facebook or not, and (iii) the fact that the visitor neither is aware nor has consented to such transfer of their personal data to Facebook. Fashion ID is not involved in determining the purposes for which the visitor’s data are collected by Facebook nor the manner in which they are processed once they are in Facebook’s possession, nor does Fashion ID have access to this data.

The German association for consumer protection (Verbraucherzentrale NRW e.V.) sought a cease and desist injunction against Fashion ID on the grounds that it was in breach of data protection legislation. The case was then referred for appeal to the Higher Regional Court in Düsseldorf, Germany (Oberlandesgericht Düsseldorf), which referred six questions to the ECJ in line with Art. 267 TFEU[2]. The questions deal with the interpretation of Articles 2, 7, 10, 22, 23 and 24 of Directive 95/46[3] and certain other provisions of the Directive on privacy and electronic communications[4].[5]

Directive 95/46 was repealed by the General Data Protection Regulation (hereinafter “GDPR”)[6] with effect as of 25 May 2018. However, since the factual background of the matter took place before the adoption of the GDPR, Directive 95/46 applies.

This article will focus primarily on three of the six questions referred (specifically, the second, fifth and sixth question), as these are considered to remain relevant in the new GDPR framework, namely:

  • “2. In a case such as the present one, in which someone has embedded a programming code in his website which causes the user’s browser to request content from a third party and, to this end, transmits personal data to the third party, is the person embedding the content the “controller” within the meaning of Article 2(d) of Directive 95/46 if that person is himself unable to influence this data-processing operation?
  • To whom must the consent to be declared under Articles 7(a) and 2(h) of Directive [95/46] be given in a situation such as that in the present case?
  • Does the duty to inform under Article 10 of Directive [95/46] also apply in a situation such as that in the present case to the operator of the website who has embedded the content of a third party and thus creates the cause for the processing of personal data by the third party?”

Decision of the ECJ

When rendering the decision and arguing its position, the ECJ followed in whole the Opinion from 19 December 2018 of Advocate General M. Bobek[7], which refers predominantly to two recent judgements of the ECJ in the cases (i) Wirtschaftsakademie Schleswig-Holstein[8] and (ii) Jehovan todistajat[9].

The ECJ concluded the following[10]:

Question 2

The primary goal of Directive 95/46 and Art. 2(d)[11], which defines a controller, is to ensure, through a broad definition of the concept of “controller”, effective and complete protection of data subjects.[12] Some main characteristics of a controller are the following[13]:

  • it is a body (e., a natural or legal person, public authority, agency), which alone or jointly with others determines the purposes and means of the processing[14] of personal data. The controller will be pursuing its own goals which lead it to be interested in the processing of personal data;
  • the concept may also refer to multiple actors, taking part in particular processing, each subject to the applicable data-protection provisions;
  • in cases of joint responsibility for the same processing, Art. 2(d) of Directive 95/46 does not require each actor to have access to the personal data concerned.

A person may be regarded as a controller (jointly with others) only in respect of operations involving the processing of personal data for which it determines jointly the purposes and means. Conversely, such a person may not be deemed a controller under Art. 2(d) of Directive 95/46 with respect to any preceding or subsequent processing procedures, for which they do not determine the purposes and manners of processing.[15]

Regarding the liability of joint controllers, the ECJ again[16] emphasized that the existence of joint liability does not necessarily imply equal responsibility of various controllers engaged in the processing of personal data. Since some of the controllers may be involved at different stages of the processing and to different degrees, the extent of each joint controller’s liability must be assessed with regard to all the relevant circumstances of the particular case.[17]

In the present case, the ECJ thus concluded that Fashion ID may be deemed a joint controller under Art. 2(d) of Directive 95/46, though solely with respect to the collection and transfer to Facebook of the personal data of visitors to its online store. On the other hand, it cannot be deemed a controller with respect to any subsequent processing once Facebook possessed the data. By embedding the Facebook ‘like’ button on its website, Fashion ID has optimized the advertising of their products by increasing their visibility on Facebook. By embedding the button, Fashion ID at least implicitly consented to the collection and transfer to Facebook of personal data of visitors to its online store with the purpose of taking advantage of the commercial benefit conferred through the associated increased advertising of its goods. Such processing actions benefit commercially both Fashion ID and the company Facebook Ireland. The latter may use such personal data for its own commercial purposes, as payment for the benefits Fashion ID receives.

Questions 5 and 6

The essence of these two questions is (i) who is responsible for obtaining the consent to process personal data in the present case and (ii) who is responsible for providing information required under the relevant personal data protection legislation to the visitors of an online store in which a third party plugin is embedded: the administrator of such an online store (i.e., Fashion ID) or the provider of the plugin (i.e., Facebook)?

In responding to these two questions, the ECJ referred to its response in respect of question 2 – chiefly, that, in line with Art. 2(d) of Directive 95/46, the website operator will be deemed a controller if it embeds into the website a third party social media plugin that allows the browser used by a visitor to that website to request content from the third party provider of that plugin and to transfer to that third party provider personal data of the visitor. However, the liability of such controller is limited to the data processing procedure or set of procedures, for which that particular controller determines the purposes and manners of processing.

According to the ECJ, such a controller (in this case, Fashion ID) is obliged to:

  • obtain from visitors to its online store consent in line with Arts. 2(h)[18] and 7(a)[19] of Directive 95/46; and
  • provide visitors to its online store information under Art. 10[20] of Directive 95/46.

Such consent must be obtained and such information given before the collection and transfer of data subjects’ personal data takes place, since the processing is initiated immediately upon accessing Fashion ID’s online store.[21]

Furthermore, according to the ECJ, it appears that these two obligations will only arise with regard to the operation or set of operations involving the processing of personal data for which Fashion ID actually determines the purposes and means. Here, such an operation or operations would mean the collection and transfer of personal data to Facebook. These obligations on the contrary do not arise with regard to the processing of personal data at other stages of processing, whether preceding or following the aforementioned procedures, even though they may involve the processing of the same personal data. This would be the case once the data are with Facebook and Facebook determines the purposes and manners of processing.[22]

Conclusion

So what can companies and entrepreneurs (in particular SMEs) learn from the Judgement? Primarily, they should acknowledge that planning an advertising strategy will no longer solely involve the traditional considerations around marketing, statistics, conversions etc.  Rather, businesses must now also consider potential legal issues arising from and ensure a careful review of the terms and conditions of each online platform, plugin and online tool that they wish to incorporate into their advertising campaign.

As stated above, Directive 95/46 is no longer applicable. Nevertheless, the core questions, considered by the ECJ in the Judgement ­­- namely, the definition of a controller, and the obligations to obtain consent and provide information – have become perhaps more relevant since 25 May 2018 and the implementation of GDPR. The material definitions, principles of the processing of personal data and obligations of controllers and other subjects remain the same under the new framework. Meanwhile, some of the controller’s obligations have been defined in more detail, such as the information to be presented to data subjects before the processing is begun and before the subjects consent to the processing of personal data[23].

Last, but not least, the administrative fines for breaches of GDPR may now represent a material portion of a company’s revenues. Moreover, the company in breach would additionally be required to bring its ongoing business operations in line with GDPR, which will likely prove to be more complex and costly once these are already established.

A narrowly focused pursuit of brand recognition and “likes” may prove expensive for a business if it does not step back to consider legal compliance. Thus, before implementing any material changes in commercial operations, advertising, marketing and communications with users (and, more importantly, consumers), we advise every business to seek advice from experts in the relevant field.

 

[1] The text of the entire Judgement is available here.

[2] The Treaty on the Functioning of the European Union (OJ C 326, 26 October 2012, p. 47–390).

[3] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23 November 1995, p. 31–50).

[4] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (OJ L 201, 31 July 2002, p. 37–47).

[5] The original wording of all referred questions is available in para. 42 of the Judgment.

[6] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ 2016, L 119, p. 1).

[7] The Opinion is available at the same link as the Judgement.

[8] C‑210/16, EU:C:2018:388, judgement of 5 June 2018 (hereinafter “Wirtschaftsakademie Schleswig-Holstein“).

[9] C‑25/17, EU:C:2018:551, judgement of 10 July 2018 (hereinafter “Jehovan todistajat”).

[10] All conclusions are subject to a fact-finding procedure before the national court, which will determine the final facts of the case.

[11] “Controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.

[12] Judgement Wirtschaftsakademie Schleswig-Holstein, para. 28.

[13] Para. 67–69 of the Judgement.

[14] “Processing” shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (Art. 2(b) of Directive 95/46).

[15] Though without prejudice to potential civil liability, which national legislation may confer in this respect (the Judgement, para. 74).

[16] As explained previously in the judgement Jehovan todistajat, para. 66.

[17] Para. 70 of the Judgement.

[18] “The data subject’s consent” shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

[19] “Member States shall provide that personal data may be processed only if: […] (a) the data subject has unambiguously given his consent; or…”.

[20] “Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it: (a) the identity of the controller and of his representative, if any; (b) the purposes of the processing for which the data are intended; (c) any further information such as the recipients or categories of recipients of the data, whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply, the existence of the right of access to and the right to rectify the data concerning him in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.”.

[21] Para. 102 of the Judgement.

[22] Para. 100 of the Judgement.

[23] Please see Art. 13 and 14 GDPR.