The CJEU gives a “like” to Data Protection
Last August, the CJEU settled a new conflict about the processing of personal data, Facebook and the popular “like” icon. The conflict took place when ¨Fashion ID¨, a German e-commerce company that sells clothing, inserted the “like” Facebook button on its website. This insertion seems to have the consequence that, when a visitor visits the “Fashion ID” website, personal data of that visitor is transmitted to Facebook Ireland. As it was analyzed in this ruling, this transmisión of data is made without the said visitor being aware of it and regardless of whether they are a member of the Facebook social network or if they clicked on the “like” button.
For this reason, ¨Verbraucherzentrale NRW¨, a German public association defending the interests of consumers, made a complaint against ¨Fashion ID¨ for having transmitted to Facebook Ireland personal data of visitors to its website, on one hand, without the consent of the latter and, on the other, breaching the information obligations established in the provisions related to the protection of personal data.
Having reached the conflict in the German Court of First Instance, the matter was finally sent to the EU Court of Justice in order to find a final resolution. After analyzed the case, the CJEU ruled that the administrator of an Internet site with the aforementioned “like” button on its website may be responsible, together with the social network, for the collection and transmission to Facebook of the personal data of visitors to its site
In this case, it is particular, the joint responsibility is due to the fact that, on one side, the insertion by “Fashion ID” of the “like” button of Facebook on its website allows the fashion site to optimize the advertising for its products by making them more visible on the social network. On the other hand, Facebook Ireland obtains as a counterpart the power to have this data for its own commercial purposes. Therefore, such processing operations are carried out in the economic interest of both, “Fashion ID” and Facebook Ireland. Therefore, the company ¨Fashion ID¨, as a co-responsible entity for certain consumer data processing operations that access to its website, must request prior consent for operations in which as co-responsible collects and transmits personal data. However, the CJEU clarified that it will not be responsible, in principle, for the further processing of such data made solely by Facebook.
Furthermore, the CJEU also analyzed for this case one of the exceptions to the obligation to obtain prior consent: ¨legitimate interest¨. In these cases, the court pointed out that both, the administrator of the website in question and the provider, must pursue a legitimate interest with the collection and transmission of data, which will make such operations justified. So the legitimate interest that justifies one of the actions will not justify the other one.
In conclusion, and as we have mentioned in other blog posts since the entry into force of the General Data Protection Regulation last year, the European Union has been implementing through its laws and judicial decisions a strict line of thinking about how It intends that the data of its citizens be treated. Therefore, any activity that is not within these guidelines cannot be carried out freely, making good legal advice important to avoid sanctions or any other obstacles.