Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Tina Cowen
    • D A T Green
    • Karthyaeni Vittala
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Mark Clough
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina Korgol
    • Maria Constantin
    • Sophia Yakhno
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

CJEU ruling on the use of social media plugins

August 5, 2019By Xavier Prida

The blurring lines of data controllers: a case for joint responsibility of website operators and social media giants

In recent days, the Court of Justice of the European Union (the “CJEU”) ruled on a crucial matter regarding the privacy-compliant integration of a Facebook ‘Like‘ Button by Fashion ID, a German website operator (C-40/17). In a consistent continuation of its case-law on joint responsibility for Facebook fan pages (C-210/16), the CJEU stated that it was – unsurprisingly – opposed to the use of such a feature by the website operator without first obtaining the express consent of visitors, and informing them, among other things, of its identity and the purposes of the processing, as  set out in provisions relating to the protection of personal data. During the course of the hearings, the CJEU was asked to interpret – rather than actually decide the dispute itself – several provisions of the former EU Data Protection Directive of 1995 (Directive 95/46/EC) – which continues to apply to this case, but has now been repealed by the new General Data Protection Regulation of 2016 (GDPR) in force since 25 May 2018.

The installation of the Facebook ‘Like’ feature on its site effectively enabled Fashion ID to enhance the exposure of its products by making them increasingly noticeable on Facebook when a user of its site engaged with the feature. Naturally, this commercial advantage was the motivation for embedding the “like” plugin (which effectively allows the gathering, disclosure, and transferring to Facebook of the website visitors’ personal information).

As a result of the CJEU ruling – which is binding on other national courts or tribunals before which a similar issue is raised – a website that embeds a Facebook ‘Like’ button may well qualify as a data controller – together with Facebook – with regard to the gathering and transfer to Facebook of its visitors’ personal data. This is because, conditional on the findings of the Düsseldorf Court of Appeal investigations, it may be concluded that Fashion ID and Facebook Ireland indeed jointly control the means and purposes of those personal data operations. This suggests that website operators will no longer be able to delay obtaining the specific consent of visitors – as they are already required to do so under the GDPR – but most importantly, they won’t be permitted, in the context of embedding social media plugins in their websites, to simply transfer the fulfillment of their transparency obligations to the corresponding social media platform.

The Berlin Commissioner for Data Protection and Freedom of Information, for its part, has recommended that Berlin website operators, when using social media plugins, examine exactly how far their own responsibility extends, what information obligations they have to fulfill vis-à-vis those individuals concerned and on what legal basis the data processing should take place. If one wants to resort to such plugins at all, the Berlin Data Protection Officer recommends for reasons of legal certainty to choose a consent-based solution.

One of the most relevant practical implications of this ruling is that now an entity that deploys a third-party plugin on its website, which enables the collection, disclosure and transmission of the user’s personal data – to the third party that provided the plugin – will be considered to be a data controller (although we consider that this should always be assessed on a case by case basis).

It seems that, from a data protection perspective, the use of a plugin functionality by a company should be re-assessed in light of the CJEU ruling,  but also in the context of the overall data flows and personal data processing of the company in order to ensure full compliance.

As usual, the first step to compliance should be to map the data flows, identify the scenarios where the company acts as a controller or as a processor, and then ensure that the necessary notices and arrangements are put in place.

Please contact Jose Saras and Xavier Prida if you have any questions regarding the above.

Data protectionFacebookGDPRJose Saras
Latest Preiskel & Co blog posts
  • Claim against NHS Trust for breach of DPA 1998 and misuse of private information dismissed
    April 28, 2022
  • TikTok Class action for the Misuse of Child Personal Data
    April 28, 2022
  • ICO consultation on draft guidance for the research provisions within the UK GDPR and the DPA 2018
    April 20, 2022
  • European Strategy for Artificial Intelligence – a framework to regulate AI and its potential impact on the UK
    April 19, 2022
  • Meta hit by 17 million euro fine by Irish regulator
    April 19, 2022
  • Ofcom has mandated that telecoms providers ensure British Sign Language (BSL) for 999
    March 18, 2022
  • Ofcom publishes statement on the future of telephone numbers
    March 15, 2022
  • German court sends biometric data questions to the ECJ
    February 23, 2022
  • Meta fined £1.5m by CMA
    February 7, 2022
  • International data transfer agreement and addendum laid before Parliament
    February 4, 2022
  • CMA publishes statement of scope in music and streaming market study
    February 1, 2022
  • Google Privacy Sandbox faces European Commission complaint from German publishers
    January 24, 2022

The Preiskel Blog

  • Claim against NHS Trust for breach of DPA 1998 and misuse of private information dismissed 28 Apr 2022
  • TikTok Class action for the Misuse of Child Personal Data 28 Apr 2022
  • ICO consultation on draft guidance for the research provisions within the UK GDPR and the DPA 2018 20 Apr 2022
  • European Strategy for Artificial Intelligence – a framework to regulate AI and its potential impact on the UK 19 Apr 2022

Preiskel news

  • Daniel Preiskel and Xavier Prida lecturing to Academia Mexicana del Derecho Informático and Abogado Digital
  • Preiskel & Co advises Mexico-based premium content production company Dopamine
  • Danny Preiskel was ranked as a Global Elite Thought Leader in Telecoms & Media by WhosWhoLegal Data 2022
  • Danny Preiskel featured in GCCM (Global Carrier Community Magazine)
Preiskel tweets
  • @jwrosewell @m4aow @w3c @IABTechLab Our pleasure!63 days ago
  • RT @jwrosewell: Great work from @Preiskel and the whole @m4aow team. Thank you. Much for @w3c, @IABTechLab, and others to consider in this…63 days ago
  • RT @TC_4KBW: Google’s battle with publishers shows that at every turn it seeks to block others from competing. it blocked header bidding, b…63 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2022 | Site map | Legal notices | Privacy | Cookie Policy | Privacy | Fraud Notice