A Facebook “like” is actually more like “in a [Joint Controller] relationship” status, says the Court of Justice of the EU in a long awaited decision in the Fashion ID matter.
At issue: The legal framework surrounding embedding a Facebook “Like” button on your website.
When a user visits a website on which a Facebook “Like” button is installed, their personal data is transmitted to Facebook Ireland.
- the IP address of the visitor’s computer
- technical data of the browser (so that the server can determine the format in which the content is delivered to this address)
- information about the desired content.
The operator of the website is not able to determine the data that the browser transmits or what Facebook does with this data, especially if it decides to store and use it.
The transfer of information happens:
- whether or not the individual is a member of the social network Facebook
- whether or not the person has clicked on the “Like” button
- in many cases, without the individual being aware that the information is being collected or transmitted to Facebook
A website operator and Facebook can be joint controllers for the data collected via the website on which the button is installed
The operator of a website that features a Facebook “Like” button can be a controller jointly with Facebook in respect to the collection and transmission to Facebook of the personal data of visitors to its website. However, the responsibility is limited to the operation or the set of personal data processing operations for which it actually determines the purposes and means, namely the collection and communication, by transmission, of the data in question.
Jointly determine the means of processing
This is because by setting such a social module on its website, the website operator has a decisive influence on the collection and transmission of the personal data of visitors to that site for the benefit of Facebook Ireland which, in the absence of insertion of said module, would not take place. Therefore, the website operator may be said to jointly determine the means at the origin of the collection and communication operations by transmitting the personal data of visitors to the website.
Jointly determine the purposes of processing
When you embed a Facebook “Like” button on your website, it allows you to optimize the publicity for your products or services by making them more visible on the Facebook social network. This is a commercial advantage for the website operator. Facebook, in turn, can use the data for its own commercial purposes (and this is the consideration for the benefit to the website operator). Therefore, it may be said that the website operator and Facebook Ireland jointly determine the purposes of the collection and communication operations by transmitting the personal data.
The fact that a website operator does not itself have access to the personal data collected and forwarded to the provider of the social module with which it jointly determines the means and the purposes of the processing of personal data does not preclude it from presenting the quality of controller.
The responsibility of a website operator with regard to the processing of the personal data of individuals who do not have Facebook accounts appears even more important, since the mere consultation of such a site, including Facebook’s “Like” button seems to trigger the processing of their personal data by Facebook Ireland.
As a joint controller, the website operator must, at the time of the collection of the data, provide the required disclosures to the user such as its identity and the purposes of the processing.
Where a website operator relies on the user’s consent to process the “Like” button information, it is the one that is responsible for procuring the consent. The consent must be acquired prior to the collection and communication, by transmission, of the data of the data subject. However, the consent is required (solely) in respect of operations for which it is the (joint) controller, namely the collection and transmission of the data.
Where a website operator wishes to rely on its legitimate interest as the legal basis for the processing of data, each of the (joint) controllers, namely the operator of a website and the provider of a social plugin, must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in that regard.
Only Facebook is controller after the data is has been transmitted to Facebook
The website operator is not, in principle, a controller in respect of the subsequent processing of those data carried out by Facebook alone.
This is because the website operator cannot determine the purposes and means of the subsequent personal data processing operations carried out by Facebook after transmission to it.
Examine the full text of the decision.