In its recent decision, the EU Court of Justice addressed an interesting issue from the area of processing personal data, namely certain aspects related to the incorporation of a plugin for connecting to the social network of Facebook Ireland Ltd into the website of an online trader. In this case, it concerned the incorporation of a plugin in the form of a “Like” button into the pages of the German company Fashion ID GmbH & Co. KG (hereinafter “Fashion ID”). Although from a formal perspective the interpretation concerned “only” the provisions of the now-repealed Directive on the protection of individuals with regard to the processing of personal data (hereinafter the “Directive”), the conclusions reached by the court should be largely applicable to the current legal regulation in the form of GDPR.
In our opinion, the adopted decision is, in certain points, controversial to some extent. The referring German court (and consequently the CJEU) proceeded on the basis that, in providing information to Facebook Ireland Ltd through the plugin in question, personal data are transmitted. However, in our opinion, this can only be unequivocally asserted if it is actually known what information is actually transmitted by the trader to Facebook Ireland Ltd. This need not necessarily be (at least from the trader’s perspective) information about an identified or identifiable natural person. In the event that it were not personal data, the regulation of the Directive or GDPR would not apply to such relationships at all.
The most important conclusion of the court was that the online trader, on whose website the plugin of Facebook Ireland Ltd is placed, is in the position of a controller of personal data in relation to this collection and transmission of personal data. The trader should then not be a controller of personal data with regard to the further processing of personal data which is subsequently carried out by companies of the Facebook group and other persons to whom this group provides them with the transmitted information.
The court justified this opinion quite logically, as follows. The company Fashion ID, by incorporating the Facebook “Like” button on its website, …presumably “gave Facebook Ireland the possibility to obtain personal data of visitors to its website, because such possibility is activated at the moment of display of the said pages, irrespective of whether these visitors are members of the Facebook social network, clicked on the Facebook ‘Like’ button, or were even aware of such an operation.” Furthermore, the court stated that the company Fashion ID “by placing such a social plugin on its website, influences in a decisive manner the collection and transmission of personal data of visitors to the said pages for the benefit of the provider of the said plugin, in the case at hand Facebook Ireland, which would not have taken place had the said plugin not been placed.” Placing the button on its website enables the company Fashion ID “to optimise advertising of its products by making them more visible on the Facebook social network when a visitor to its website clicks on the said button. In order for the company Fashion ID to be able to take advantage of this commercial advantage consisting of such enhanced advertising of its products, by placing the button” on its website it consented, at least implicitly, to the collection and transmission of personal data of visitors to the pages, whereby these processing operations were carried out in the economic interest of both Fashion ID and Facebook Ireland, for which the fact that it can have these data at its disposal for its own commercial purposes represents consideration for the advantage it offers to the company Fashion ID."
Nevertheless, the court’s conclusion that the trader is in such a case a controller of personal data transmitted to Facebook Ireland Ltd is, in our opinion, not entirely uncontroversial. Designating the online trader as a controller of personal data is automatically associated with a number of legal obligations which the trader will not be able to objectively fulfil. The proper fulfilment of these obligations presupposes that the trader is fairly thoroughly informed about how the entire system of Facebook Ireland Ltd actually works, including what information is collected and transmitted within this system. One such formal obligation of the controller of personal data is also the necessity to fulfil the information obligation towards data subjects, which the CJEU expressly mentions in the judgment. However, the role of controller of personal data is always also associated with obligations in the area of organisational and technical security of personal data, which, in the case of a system fully controlled by a third party (the Facebook group), places the trader in unsolvable situations from a legal perspective.
From the above it follows, inter alia, that traders should exercise increased caution in relation to regulation in the area of personal data protection in cases where they implement elements managed by third parties into their websites.
Josef Aujezdský, advocate
This text was originally prepared by the law firm Mašek, Kočí, Aujezdský in cooperation with the Association for Electronic Commerce (APEK) as legal newsletter No. 8/2019 intended for members of this association.
This text was translated from Czech to English using an AI translator.