EU debates GDPR joint liability ruling for websites using social widgets

Buttons such as Facebook's 'Like' come under scrutiny after data collection court challenge

European Union Court of Justice CJEU

The European Court of Justice (CJEU) is currently debating whether to enforce shared data protection responsibilities on websites that embed data-collecting widgets such as Facebook 'like' buttons.

An embedded Facebook Like button, among other commonly implemented widgets, can gather data such as IP addresses and browser identification strings just by the user loading the web page. Facebook is already considered a data controller but the result of a fresh case could wrangle the hosting website into sharing data protection responsibilities under GDPR.

Advocate General (AG) Michal Bobek argued on Wednesday that hosting websites should be considered as joint data controllers with the companies that own widgets.

He believes that both website and widget owner appear to voluntarily cause the collection and transmission of the data for the purpose of processing. Although not identical, he argues there is a commercial and advertising purpose and benefit for embedding a social widget.

Therefore, with respect to the collection and transmission stage of the data processing, the website acts as a controller and is jointly liable alongside the widget owner, which in this case is Facebook.

The case in question is one involving Fashion ID, a German online fashion retailer and Verbraucherzentrale NRW, a German consumer group which brought an injunction against the retailer in 2015. The consumer group claimed that by placing a Facebook Like button on its site, Fashion ID was in violation of the EU's Data Protection Directive (DPD) of 1995.

In a regional court in Dusseldorf, Fashion ID lost the original case in 2016 but it has since appealed, with Facebook's backing, to a German higher court. That court has now sought advice on key questions from the CJEU.

The case concerns EU's 1995 DPD and not GDPR, which superceded it earlier this year when it came into effect. However, GDPR was based on a number of elements of the DPD 1995, including a provision for data controllers and processors, and therefore any decision in this case is likely to influence future rulings under the new regulations.

What is known is that as a result of an ECJ ruling in June 2018, Article 26 of the GDPR states that Facebook fan page operators are jointly responsible for the data protection of its users and must clearly let members and non-members of Facebook who visit the site aware that the owner and Facebook are both responsible for that user's data.

These fan pages don't strictly pertain to celebrities, they can be for things like restaurants which don't have their own website but still want to have an online presence and interaction with its customers.

Reports claim that complaints against Facebook could rise following a year of issues relating to its privacy policies. Just this week, reports emerged about a data-harvesting SDK, as well as a suggestion of location data tracking even after turning location services off, and an eye-opening data sharing agreement between Facebook, Spotify and Netflix.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Recommended

The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Ubiquiti insider says the company downplayed the severity of a major breach
data breaches

Ubiquiti insider says the company downplayed the severity of a major breach

31 Mar 2021
Forex broker FBS leaves millions of customer records exposed
data breaches

Forex broker FBS leaves millions of customer records exposed

25 Mar 2021
Performance benchmark: PostgreSQL/ MongoDB
Whitepaper

Performance benchmark: PostgreSQL/ MongoDB

22 Mar 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace
hacking

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021