On 29 July 2019 the Court of Justice of the European Union (CJEU) issued a judgment stating that website operators who incorporate a third party plug-in on their sites can be joint controllers in the collection and sharing of personal data with that third party. This effectively makes the website operator jointly responsible for this collection and sharing of data, despite the fact that the website operator may have no access to the personal data that is transmitted.
Although the case is based on the pre-GDPR data protection law (i.e. the EU Data Protection Directive), the same principles are still relevant under GDPR.
The case involved Fashion ID, a German online clothing retailer, which had embedded the Facebook "Like" button on its website. As a result, when users browsed the Fashion ID site, their IP addresses and certain other basic data were collected and shared with Facebook automatically (regardless of whether they had a Facebook account).
What is a joint controller?
A joint controller is an entity that jointly uses the same set of personal data for the same objective and for the same purpose as another entity. Under GDPR, each joint controller can be responsible for the entire damage caused by a processing activity, unless it can prove it is not in any way responsible for the event giving rise to the damage. A finding of joint controllership therefore potentially increases an entity's risk exposure for another entity's data processing activity.
Why does this matter?
This case is another example of the European courts widening the concept of joint controllership.
In embedding the "Like" button, the court decided that Fashion ID was exerting a "decisive influence over the plugin" because the transfer to Facebook could not have occurred without Fashion ID's input. Both parties were pursuing a common purpose of commercial gain by agreeing to embed the social plugin on the Fashion ID site. Fashion ID did not itself have access to the data shared with Facebook but this did not dissuade the court from making a finding of joint controllership. This perhaps indicates that common purpose and objectives are more important in a finding of joint controllership than access and use of the data by both entities. It is this point which has been most alarming to website operators as it has the potential to greatly expand their risk exposure.
The court found that Fashion ID would have been responsible for both having a lawful basis for sharing data and informing website visitors about the disclosure of their information.
As this was a CJEU decision, the court was not concerned with whether a legal basis was actually obtained, or whether individuals were actually correctly informed, because these are matters for the German national courts to decide.
The court did moderate its finding of joint controllership by making it clear that Fashion ID was only a joint controller in respect of the collection and transmission of the personal data, and it was not seen as a controller in respect of Facebook's further use of the data. This will help to ease fears over the extent of the judgment.
What should companies be doing?
Based on a narrow interpretation of this case, entities that incorporate social media and other third party plugins on their sites should:
- Review their privacy notices to ensure they provide adequate disclosures about data shared by virtue of the plug-in, the identity of the third party and the fact that a joint controller arrangement exists.
- Ensure that they have a valid legal basis for processing the personal data in this way.
- Review measures proposed by the third party in response to this judgment for a GDPR-compliant joint controller arrangements (Article 26 of GDPR obliges controllers that qualify as joint controllers to have an arrangement in place in respect of their relationship, and to make the essence of this available to relevant data subjects).
More broadly, this judgment is yet another expansion of the concept of joint controllership. It shows once again that a business can be a controller of personal data even if it has no access to the relevant information.
Businesses should review situations where they allow other data controllers to access or collect data and consider whether the entities may now be seen as joint controllers rather than acting in a controller-to-processor or mere controller-to-controller capacity. If so, this will likely have knock-on effects under the GDPR, including around transparency and regarding requirements under any data sharing agreement. Unfortunately, what is still missing are clear and unambiguous criteria for assessing what relationship exists.