Fashion ID, a German online clothing retailer, embedded on its website the Facebook «Like» button. The consequence of embedding that button appears to be that when a visitor consults the website of Fashion ID, that visitor’s personal data are transmitted to Facebook Ireland. It seems that that transmission occurs without that visitor being aware of it and regardless of whether or not he or she is a member of the social network Facebook or has clicked on the «Like» button.
Verbraucherzentrale NRW, a German public-service association tasked with safeguarding the interests of consumers, criticises Fashion ID for transmitting to Facebook Ireland personal data of visitors to its website, first, without their consent and, second, in breach of the duties to inform set out in the provisions relating to the protection of personal data.
The Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf, Germany), which is hearing the dispute, requests the Court of Justice to interpret several provisions of the former Data Protection Directive of 19951 (which remains applicable to this case, but has now been replaced by the new General Data Protection Regulation of 20162 with effect from 25 May 2018).
In its judgment delivered today, the Court finds, first, that the former Data Protection Directive does not preclude consumer-protection associations from being granted the right to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data. The Court notes that the new General Data Protection Regulation now expressly provides for this possibility.
The Court holds, second, that it appears that Fashion ID cannot be considered to be a controller in respect of the operations involving data processing carried out by Facebook Ireland after those data have been transmitted to the latter. It seems, at the outset, impossible that Fashion ID determines the purposes and means of those operations.
By contrast, Fashion ID can be considered to be a controller jointly with Facebook Ireland in respect of the operations involving the collection and disclosure by transmission to Facebook Ireland of the data at issue, since it can be concluded (subject to the investigations that it is for the Oberlandesgericht Düsseldorf to carry out) that Fashion ID and Facebook Ireland determine jointly the means and purposes of those operations.3
It appears, inter alia, that Fashion ID’s embedding of the Facebook «Like» button on its website allows it to optimise the publicity for its goods by making them more visible on the Facebook social network when a visitor to its website clicks on that button. The reason why Fashion ID seems to have consented, at least implicitly, to the collection and disclosure by transmission of the personal data of visitors to its website by embedding such a button on its website is in order to benefit from that commercial advantage. Thus, those processing operations appear to be performed in the economic interests both of Fashion ID and of Facebook Ireland, for whom the fact that it can use those data for its own commercial purposes constitutes the consideration for the benefit to Fashion ID.
The Court makes clear that the operator of a website such as Fashion ID, as a (joint) controller in respect of certain operations involving the processing of the data of visitors to its website, such as the collection of those data and their transmission to Facebook Ireland, must provide, at the time of their collection, certain information to those visitors such as, for example, its identity and the purposes of the processing. The Court has also provided further information in respect of two of the six cases provided for in the directive in which the processing of personal data can be considered lawful.
Thus, with regard to the case in which the data subject has given his or her consent, the Court holds that the operator of a website such as Fashion ID must obtain that prior consent (solely) in respect of operations for which it is the (joint) controller, namely the collection and transmission of the data.
With regard to the cases in which the processing of data is necessary for the purposes of a legitimate interest, the Court finds that each of the (joint) controllers, namely the operator of a website and the provider of a social plugin, must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in respect of each of them.
Judgment in Case C-40/17 Fashion ID GmbH & Co. KG/Verbraucherzentrale NRW eV
Source: CJEU Press Release No 99/19 of 29 July 2019
- 1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
- 2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (OJ 2016 L 119, p. 1).
- 3 Case: C-210/16 Wirtschaftsakademie Schleswig-Holstein see also Press Release No 81/18, the Court found that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data relating to visitors to its page.