EU debates GDPR joint liability ruling for websites using social widgets

Buttons such as Facebook's 'Like' come under scrutiny after data collection court challenge

European Union Court of Justice CJEU

The European Court of Justice (CJEU) is currently debating whether to enforce shared data protection responsibilities on websites that embed data-collecting widgets such as Facebook 'like' buttons.

An embedded Facebook Like button, among other commonly implemented widgets, can gather data such as IP addresses and browser identification strings just by the user loading the web page. Facebook is already considered a data controller but the result of a fresh case could wrangle the hosting website into sharing data protection responsibilities under GDPR.

Advocate General (AG) Michal Bobek argued on Wednesday that hosting websites should be considered as joint data controllers with the companies that own widgets.

He believes that both website and widget owner appear to voluntarily cause the collection and transmission of the data for the purpose of processing. Although not identical, he argues there is a commercial and advertising purpose and benefit for embedding a social widget.

Advertisement - Article continues below

Therefore, with respect to the collection and transmission stage of the data processing, the website acts as a controller and is jointly liable alongside the widget owner, which in this case is Facebook.

The case in question is one involving Fashion ID, a German online fashion retailer and Verbraucherzentrale NRW, a German consumer group which brought an injunction against the retailer in 2015. The consumer group claimed that by placing a Facebook Like button on its site, Fashion ID was in violation of the EU's Data Protection Directive (DPD) of 1995.

In a regional court in Dusseldorf, Fashion ID lost the original case in 2016 but it has since appealed, with Facebook's backing, to a German higher court. That court has now sought advice on key questions from the CJEU.

The case concerns EU's 1995 DPD and not GDPR, which superceded it earlier this year when it came into effect. However, GDPR was based on a number of elements of the DPD 1995, including a provision for data controllers and processors, and therefore any decision in this case is likely to influence future rulings under the new regulations.

What is known is that as a result of an ECJ ruling in June 2018, Article 26 of the GDPR states that Facebook fan page operators are jointly responsible for the data protection of its users and must clearly let members and non-members of Facebook who visit the site aware that the owner and Facebook are both responsible for that user's data.

These fan pages don't strictly pertain to celebrities, they can be for things like restaurants which don't have their own website but still want to have an online presence and interaction with its customers.

Reports claim that complaints against Facebook could rise following a year of issues relating to its privacy policies. Just this week, reports emerged about a data-harvesting SDK, as well as a suggestion of location data tracking even after turning location services off, and an eye-opening data sharing agreement between Facebook, Spotify and Netflix.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019

Five signs that it’s time to retire IT kit

29 Nov 2019

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019