CJEU - C-40/17 - Fashion ID
This decision concerns the use of plug-ins from social networks such as Facebook in websites. The court considered the question of joint controllers and the liability of each in the event of breach of data protection laws.
English Summary
Facts
Fashion ID, an online retailer clothing company, embedded the ‘Like’ social plug-in from Facebook on its website. When a visitor visited the website, whether they clicked on the plug-in or not, their personal data was transmitted to Facebook Ireland without the user’s knowledge or consent of this whether or not they had user accounts with Facebook. Verbraucherzentrale NRW, a public service association brought legal proceedings against Fashion ID for transmitting personal data to Facebook Ireland without consent and in breach of their obligation to inform users of this activity. The Regional Court upheld the request made by NRW but Fashion ID appealed the decision to the Higher Regional Court arguing that it wasn’t a controller within the definition set out under Article 2(d) Directive 95/46 and that NRW did not have legal standing to bring a class action suit under Directive 95/46. The Higher Regional Court stayed the proceedings and sought clarifications on these questions from the CJEU.
Dispute
Whether Fashion ID is a controller within the definition under Article 2(d) and whether NRW has legal standing to bring a class action suit under Directive 95/46.
Holding
On the first question, the court held that the Fashion ID was a joint controller with Facebook Ireland. The reasoning behind this: Fashion ID embedded the plug-in to optimize the publicity of its goods and make them more visible to a visitor. As such, it consented to the terms of using the plug-in to benefit from the commercial advantage of increased publicity of its goods, well aware that the plug-in enabled transmission of personal data to Facebook Ireland. Facebook Ireland also had a commercial benefit of processing such personal data. Thus, the fact that Fashion ID did not have access to the personal data collected doesn’t preclude it from being a controller within the definition of Article 2(d). Its liability was limited to the purpose and means of processing on its part which was the transmission of personal data and failure to disclose this to the visitors of its website.
On the whether NRW had legal standing to bring a claim on behalf of consumers, the court held that Articles 22 and 24 Directive 95/46 allow consumer protection associations to bring and defend legal proceedings against a person in breach of protection of personal data.
Comment
Companies and individuals should take precaution before consenting to the use of social plug-ins on their websites. In addition, they should read the fine print, give information to their customers and obtain consent in the event that their personal data will be processed by a social network through transmission from the company’s or individual’s website.
Further Resources
Share blogs or news articles here!