View profile

DPO Dispatch - Update re CJEU's Fashion ID Decision

Hi all, I'm straying from the weekly cadence for a moment to let you know that the CJEU issued an imp

DPO Dispatch

July 31 · Issue #5 · View online
A weekly summary of important developments in the world of privacy and data protection for practicing privacy professionals.

Hi all,
I’m straying from the weekly cadence for a moment to let you know that the CJEU issued an important decision on July 29, 2019 in the case of Fashion ID v. Verbraucherzentrale NRW, which expanded the applicability of the concept of “joint controllership” - and thus joint responsibility for data protection - to website (or web app) operators for personal data collected and transmitted to third parties via widgets embedded on the operator’s site (in this case, the Facebook like button). The decision is consistent with previous rulings on joint controllership, but expands the concept to cases in which one party has very little influence on the processing of the transferred personal data
If you only have a few minutes, here’s the highlights:
  • Fashion ID is an online fashion retailer which embedded a Facebook ‘Like’ button on its website.
  • A public interest group (NRW) criticized Fashion ID for transmitting to Facebook Ireland personal data belonging to its website visitors without consent and without sufficient notice of information, by way of embedding Facebook like buttons on its site.
  • There were several issues before the court but the main issue was whether Fashion ID could be considered a 'controller’ of the personal data collected by and transmitted to Facebook via the “Like” button under EU law.
  • The CJEU held that Fashion ID was a controller of personal data, jointly with Facebook, in respect of the “collection” and “transmission” of the personal data of its website visitors to Facebook, but not with respect to any further processing done by Facebook alone.
  • In coming to this conclusion, the CJEU confirmed: (1) the definition of controller is intended to ensure “effective and complete protection of data subjects”; (2) a legal or natural person who exerts influence over the processing of personal data, for their own purposes, and who participates in the determination of the purposes and means of the processing, may be regarded as a controller; (3) joint responsibility for controllers does not require each of them to have access to the personal data concerned; (4) operators may be involved at different stages of processing personal data and to different degrees, with different liabilities.
  • Applying these principles to the case, the CJEU found that (1) Fashion ID determined, jointly with Facebook, the means of the collection and transmission of the personal data to Facebook, because it was aware of the fact that it served as a tool for the collection and disclosure of personal data; and (2) Fashion ID jointly determined the purposes of the collection and transmission of the personal data to Facebook, because the processing operations were in the economic interests of both parties.
  • Fashion ID therefore had a duty to (1) inform its visitors of the collection and transmission of the personal data to Facebook; and (2) obtain their consent before collecting and disclosing such data. Importantly, the CJEU held that it was for the operator of the website, rather than the social plugin provider, to obtain that consent.
  • The case was decided under the Data Protection Directive, not the GDPR, but the commentary on when one is deemed a controller will be relevant for GDPR
Why you should care:
  • The Fashion ID decision puts an onus on website or web platform operators to disclose what personal data they collect and transmit to third parties via embedded widgets or plugins, and to obtain specific consent for such processing of personal data (unless another lawful basis exists). Importantly, this applies not just to Facebook social media plugins but to third party widgets more generally, such as embeddable content from Stripe, Shopify, and virtually any service you can iFrame into your platform. If your technology platform relies on these kinds of integrations, you may want to discuss the implications of this decision with your EU counsel.
Full text of the decision and a helpful summary by Bird & Bird LLP is available below.

CURIA - [Full Text of Fashion ID Decision]
CJEU Fashion ID Case: Thumbs down to Facebook's "Like" feature
Europe’s top court sharpens guidance for sites using leaky social plug-ins – TechCrunch
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here
If you were forwarded this newsletter and you like it, you can subscribe here
Powered by Revue