CJEU - C-40/17 - Fashion ID

From GDPRhub
Revision as of 15:22, 31 October 2020 by Elaine (talk | contribs) (Created page with "{{CJEUdecisionBOX |Case_Number_Name=C‑40/17 Fashion ID |ECLI=ECLI:EU:C:2019:629 |Opinion_Link= |Judgement_Link=http://curia.europa.eu/juris/document/document.jsf?text=&doc...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - C‑40/17 Fashion ID
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 80 GDPR
Article 1 Directive 95/46
Article 1(1) Directive 2009/22/EC
Article 10 Directive 95/46
Article 2 Directive 2009/22/EC
Article 2 Directive 95/46
Article 22 Directive 95/46
Article 23 Directive 95/46
Article 24 Directive 95/46
Article 28 Directive 95/46
Article 5(3) Directive 2002/58/EC
Article 7 Directive 2009/22/EC
Article 7 Directive 95/46
Recital 10 Directive 95/46
Paragraph 12(1) German Law on Telemedia (TMG)
Paragraph 13(1) German Law on Telemedia (TMG)
Paragraph 2 German Law against Unfair Competition (UWG)
Paragraph 3(1) German Law against Unfair Competition (UWG)
Paragraph 8 German Law against Unfair Competition (UWG)
Paragraph 15(1) German Law on Telemedia (TMG)
Decided: 29.07.2019
Parties: Fashion ID GmbH & Co. KG
Verbraucherzentrale NRW eV,
Case Number/Name: C‑40/17 Fashion ID
European Case Law Identifier: ECLI:EU:C:2019:629
Reference from: Higher Regional Court
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: Elaine Thuo


Fashion ID embedded the ‘Like’ plug-in from Facebook on its website with the view to increase the visibility of its product. As a result, Facebook collected and processed personal data from visitors of the website. This included visitors who didn’t have an account with the social network. Verbraucherzentrale NRW, a public service association brought a claim against Fashion ID for processing personal data through transmission to Facebook Ireland without informing those who visited its website. Verbraucherzentrale NRW claimed that Fashion ID was a controller within the definition stipulated under Article 2(d) Directive 95/46 and hence was responsible for failure to observe data protection laws but Fashion ID objected to this claim. The CJEU held that Fashion ID was a joint controller with Facebook Ireland with different degrees of responsibility and liability depending on the extent of their individual processing.

English Summary

Facts

Fashion ID, an online retailer clothing company, embedded the ‘Like’ social plug-in from Facebook on its website. When a visitor visited the website, whether they clicked on the plug-in or not, their personal data was transmitted to Facebook Ireland without the user’s knowledge or consent of this whether or not they had user accounts with Facebook. Verbraucherzentrale NRW, a public service association brought legal proceedings against Fashion ID for transmitting personal data to Facebook Ireland without consent and in breach of their obligation to inform users of this activity. The Regional Court upheld the request made by NRW but Fashion ID appealed the decision to the Higher Regional Court arguing that it wasn’t a controller within the definition set out under Article 2(d) Directive 95/46 and that NRW did not have legal standing to bring a class action suit under Directive 95/46. The Higher Regional Court stayed the proceedings and sought clarifications on these questions from the CJEU.

Dispute

Whether Fashion ID is a controller within the definition under Article 2(d) and whether NRW has legal standing to bring a class action suit under Directive 95/46.

Holding

On the first question, the court held that the Fashion ID was a joint controller with Facebook Ireland. The reasoning behind this: Fashion ID embedded the plug-in to optimize the publicity of its goods and make them more visible to a visitor. As such, it consented to the terms of using the plug-in to benefit from the commercial advantage of increased publicity of its goods, well aware that the plug-in enabled transmission of personal data to Facebook Ireland. Facebook Ireland also had a commercial benefit of processing such personal data. Thus, the fact that Fashion ID did not have access to the personal data collected doesn’t preclude it from being a controller within the definition of Article 2(d). Its liability was limited to the purpose and means of processing on its part which was the transmission of personal data and failure to disclose this to the visitors of its website.

On the whether NRW had legal standing to bring a claim on behalf of consumers, the court held that Articles 22 and 24 Directive 95/46 allow consumer protection associations to bring and defend legal proceedings against a person in breach of protection of personal data.


Comment

Companies and individuals should take precaution before consenting to the use of social plug-ins on their websites. In addition, they should read the fine print, give information to their customers and obtain consent in the event that their personal data will be processed by a social network through transmission from the company’s or individual’s website.

Further Resources

Share blogs or news articles here!