EU debates GDPR joint liability ruling for websites using social widgets

Buttons such as Facebook's 'Like' come under scrutiny after data collection court challenge

European Union Court of Justice CJEU

The European Court of Justice (CJEU) is currently debating whether to enforce shared data protection responsibilities on websites that embed data-collecting widgets such as Facebook 'like' buttons.

An embedded Facebook Like button, among other commonly implemented widgets, can gather data such as IP addresses and browser identification strings just by the user loading the web page. Facebook is already considered a data controller but the result of a fresh case could wrangle the hosting website into sharing data protection responsibilities under GDPR.

Advertisement - Article continues below

Advocate General (AG) Michal Bobek argued on Wednesday that hosting websites should be considered as joint data controllers with the companies that own widgets.

He believes that both website and widget owner appear to voluntarily cause the collection and transmission of the data for the purpose of processing. Although not identical, he argues there is a commercial and advertising purpose and benefit for embedding a social widget.

Therefore, with respect to the collection and transmission stage of the data processing, the website acts as a controller and is jointly liable alongside the widget owner, which in this case is Facebook.

The case in question is one involving Fashion ID, a German online fashion retailer and Verbraucherzentrale NRW, a German consumer group which brought an injunction against the retailer in 2015. The consumer group claimed that by placing a Facebook Like button on its site, Fashion ID was in violation of the EU's Data Protection Directive (DPD) of 1995.

Advertisement - Article continues below
Advertisement - Article continues below

In a regional court in Dusseldorf, Fashion ID lost the original case in 2016 but it has since appealed, with Facebook's backing, to a German higher court. That court has now sought advice on key questions from the CJEU.

The case concerns EU's 1995 DPD and not GDPR, which superceded it earlier this year when it came into effect. However, GDPR was based on a number of elements of the DPD 1995, including a provision for data controllers and processors, and therefore any decision in this case is likely to influence future rulings under the new regulations.

What is known is that as a result of an ECJ ruling in June 2018, Article 26 of the GDPR states that Facebook fan page operators are jointly responsible for the data protection of its users and must clearly let members and non-members of Facebook who visit the site aware that the owner and Facebook are both responsible for that user's data.

Advertisement - Article continues below

These fan pages don't strictly pertain to celebrities, they can be for things like restaurants which don't have their own website but still want to have an online presence and interaction with its customers.

Reports claim that complaints against Facebook could rise following a year of issues relating to its privacy policies. Just this week, reports emerged about a data-harvesting SDK, as well as a suggestion of location data tracking even after turning location services off, and an eye-opening data sharing agreement between Facebook, Spotify and Netflix.



data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

Most Popular

application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Mobile Phones

Microsoft’s patent design reveals a mobile device with a third screen

6 Apr 2020
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020