In its judgment, the CJEU provided clarity on the scope of joint processing operations, and the extent to which a website operator can be deemed a joint controller, and thus jointly liable, for allowing the placement of plug-ins and tracking devices on their website by third parties.

The case (C-40/17) involved a challenge by a consumer protection group in Germany to the placement of Facebook plug-ins on Fashion ID’s website. This was claimed to be an unlawful means of collecting and transmitting personal data to Facebook, as neither Fashion ID nor Facebook had sought or obtained the consent of visitors to the website, or informed them that this data collection was taking place automatically. The collection and transmission occurred regardless of whether or not the visitor was a Facebook member, or whether the visitor had clicked the ‘Like’ button.

Limits of Joint Controllership

The most significant part of the judgment concerns the definition and scope of joint controllership. Under the Data Protection Directive (and now, GDPR), a controller is a party who determines the purposes and means of processing, either alone or jointly with others. Controllers have heightened responsibilities and obligations towards data subjects, and if found to be a joint controller with another party, may be jointly liable for any breaches of data protection law.

This decision is the latest in a series of cases dealing with the issue of joint controllership. Last year, in the Facebook Fan Pages Case (C-210/16), the CJEU held that the administrator of a fan page was a joint controller with Facebook for processing the personal data of visitors to the page, even if the administrator did not have access to the data. Similarly, in the Jehovah’s Witnesses Case (C-25/17), it was held that the Jehovah’s Witnesses Community was a joint controller with the individual members of the Church who collected personal data from door-to-door preaching.

The problem with finding joint controllership on the basis of a Facebook plug-in is that, as identified by the CJEU, “the operator of a website embedding third-party content… cannot control what data the browser transmits or what the third-party provider does with those data”. This raised the issue of how to comply with the transparency obligations of a controller if Fashion ID was unaware for what purposes the data was processed once it had been transmitted to Facebook.

Jointly Determining the Purposes and Means of Processing

The Court held that parties will be deemed joint controllers for any processing operations for which they jointly determine the purposes and means of processing, but will not be joint controllers for operations that precede or are subsequent to these joint operations in the overall chain of processing. Fashion ID was therefore a joint controller for the collection and disclosure by transmission of the personal data of visitors. This was because the purposes of the processing were so Fashion ID could optimise the publicity of its goods by making them more visible on Facebook when a visitor to its website clicks on the button, allowing Fashion ID to benefit from the commercial advantage the plug-in provided. Both Facebook and Fashion ID were processing personal data for their own economic interests, and so they jointly determined the purposes of the operations.

And because Fashion ID exerted a “decisive influence” over the collection and transmission of personal data by deciding to embed the ‘Like’ button in the first place, it was also jointly determining the means of these processing operations.

“Legitimate Interest” can be relied on by Controllers

The CJEU was asked to determine whether controllers in this circumstance can rely on their legitimate interest to process data through a plug-in. The CJEU confirmed that if there is a valid legitimate interest for collecting and transmitting the data, the joint controllers can rely on it, but each joint controller must have their own separate legal basis. The question of whether Art 5(3) of the ePrivacy Directive applied in this case (and therefore, consent of visitors to the website would be required) was left to the referring court to determine.

However, the Court did hold that it is for the operator of a website on which a plug-in is placed to collect the consent of visitors when required. It also falls to the operator of the website to provide data subjects with the requisite notice of the processing operations for which it is a joint controller. These duties do not extend to operations involving the processing of personal data before or after the website operator is involved.

Key Takeaways

The gist of the judgment is that the threshold for joint controllership is low, and there is no requirement for the parties to share responsibility equally, or even for both parties to have access to the data at issue. This has particularly harsh consequences in the adtech context, where it may be difficult to draw lines between the different processing operations, given the number of players in the industry, the number of plug-ins in place, and the general opacity of how processing is taking place.

The judgment also puts the responsibility on website operators for providing transparency notices and obtaining consent (whether as a lawful basis for processing under GDPR, or as required by Article 5(3) of the ePrivacy Directive). Companies using advertising tools for the purposes of boosting their visibility on social media, whether that be in the form of cookies, plug-ins or other analytics tools, must bolster their privacy disclosures and reconsider how and when they need to obtain the consent of visitors to their site.

Website operators should always bear in mind that they are only responsible for the processing operations for which they share or jointly determine the purposes and means of the processing, and liability does not extend to the preceding or subsequent stages of processing in the overall chain of operations.

Practical Steps for Data Controllers

If your website uses social plug-ins for advertising purposes, it is likely that you are a joint controller with the plug-in provider. Some practical steps that can be taken following the Fashion ID judgment include:

Review all adtech arrangements that are in place on your site, and determine for which plug-ins you are a joint controller.

Assess the lawful basis of processing, i.e. do you and the plug-in provider each have a legitimate interest, or is consent required?

Assess whether consent is required under the ePrivacy Directive, i.e. is the plug-in allowing access to data stored in the terminal equipment of the visitor to your website?

Review and update your privacy notices and disclosures to inform visitors to your website about the plug-in.

Review any contractual arrangements that are in place with the provider of the plug-in, and ensure the responsibilities of each party are clearly set out, and that there are indemnity clauses in place to protect your company from liability for data protection breaches by the other party.

The authors wish to thank Siobhán O’Shea for her contribution to this article.