Skip to main content

Advertisement

SpringerLink
Log in

On Joint Controllership for Social Plugins and Other Third-Party Content – a Case Note on the CJEU Decision in Fashion ID

Directive 95/46/EC, Arts. 2(d) and (h), 7(a) and (f), 10

  • Case Note
  • European Union
  • Published:
IIC - International Review of Intellectual Property and Competition Law Aims and scope Submit manuscript

Abstract

In its decision in Fashion ID, the Court of Justice of the European Union (CJEU) assessed the responsibilities pertaining to the processing of personal data through a Facebook “Like” button embedded in a third-party website. The decision, which was not directed at Facebook Ireland, but at a comparatively small German online clothing retailer embedding the social plugin, reaffirms the preference of (German) authorities and consumer protection associations to regulate Facebook indirectly, i.e. through decisions directed against Facebook’s partners, which is seemingly the more feasible way. In the decision, the CJEU concluded that the website operator, and Facebook Ireland as the plugin provider are jointly responsible merely for the collection of personal data and its disclosure by transmission to Facebook Ireland, whereas the subsequent data processing operations fall under the sole responsibility of Facebook Ireland. This case note argues that this delineation does not sufficiently consider the technical reality behind such plugins. Further, it argues that the CJEU seems to have relied predominantly on the criterion of decisive (factual) influence on data processing, thereby departing from its previous case law. The CJEU further ruled that should joint data processing be based on webpage visitors’ consent, the latter has to be collected by the webpage operator. This solution creates a significant additional administrative burden for the involved companies. According to this case note, the decision on such a technical matter should rather have been left to the disposition of the companies.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Notes

  1. Case C-40/17, Fashion ID, 29 July 2019, EU:C:2019:629; see this issue of IIC at https://doi.org/10.1007/s40319-019-00868-z.

  2. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281/31, 23 November 1995.

  3. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119/1, 4 May 2016.

  4. As stems from the Court’s decision in Breyer, an IP address can, under certain circumstances, constitute personal data; Case C-582/14, Breyer, 19 October 2016, EU:C:2016:779, paras. 33–49.

  5. Without Facebook Ireland obtaining the mentioned information, the “Like” button cannot appear on the webpage.

  6. Case C-40/17, Fashion ID, 29 July 2019, EU:C:2019:629, paras. 25–31.

  7. Secs. 3 and 8 of the Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb, UWG); and Sec. 2 of the Act on Injunctive Relief (Unterlassungsklagengesetz).

  8. See, for example, Case C-191/15, Verein für Konsumenteninformation, 28 July 2016, EU:C:2016:612, para. 31. For an overview of the activities of German consumer protection associations in this field, see Dünkel (2019).

  9. Case C-40/17, Fashion ID, 29 July 2019, EU:C:2019:629, paras. 50–51.

  10. Ibid., paras. 54, 57.

  11. Ibid., para. 63.

  12. Directive 2009/22/EC of the European Parliament and of the Council of 23 April 2009 on injunctions for the protection of consumers’ interests, OJ L 110, 1 May 2009. The Directive lays down rules governing injunctions that can be brought by so-called qualified entities with the aim to protect collective interests of consumers.

  13. Case C-40/17, Fashion ID, 29 July 2019, EU:C:2019:629, para. 61.

  14. Case C-40/17, Fashion ID, Opinion of AG Bobek, 19 December 2018, EU:C:2018:1039, para. 38.

  15. See the definition in Art. 2 lit. d) DPD and Art. 4(7) GDPR.

  16. In Art. 2 lit. b) DPD and Art. 4(2) GDPR, data processing is defined as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  17. Case C-210/16, Wirtschaftsakademie Schleswig–Holstein, 5 June 2018, EU:C:2018:388, paras. 25 et seq.

  18. Case C-210/16, Wirtschaftsakademie Schleswig–Holstein, Opinion of AG Bot, 24 October 2017, EU:C:2017:796, paras. 66–69.

  19. Ibid., para. 72.

  20. Case C-210/16, Wirtschaftsakademie Schleswig–Holstein, 5 June 2018, EU:C:2018:388, para. 39.

  21. According to the Court, these conclusions are for the referring court to verify; Case C-40/17, Fashion ID, 29 July 2019, EU:C:2019:629, paras. 73–85.

  22. See ibid., para. 80.

  23. It has to be borne in mind that these two data processing operations cover neither the storage of data on the servers of Facebook Ireland nor any other further processing. Hence, unless a legal ground for further processing is demonstrated by Facebook Ireland, the data has to “stop at the doors” of Facebook Ireland. The fact that more than these two steps are necessary is also implicitly confirmed by the Court’s finding that “[f]or this [the proper appearance of third-party content], the browser transmits to the server of the third party operator […]”; Case C-40/17, Fashion ID, 29 July 2019, EU:C:2019:629, para. 26 (emphasis added).

  24. The Court argued that after the transmission of data, it is impossible for Fashion ID to determine the purposes and means of data processing. However, such a situation is comparable to data processing by a data processor (cf. Art. 2 lit. e) DPD and Arts. 4(8), 28 GDPR), where even though data is processed by another subject (including defining the means of processing), the controller remains responsible for the processing. Further, as stems from the case law of the Court, the fact that a certain subject does not have access to the data does not preclude it from being a controller; Case C-40/17, Fashion ID, 29 July 2019, EU:C:2019:629, para. 82.

  25. Case C-210/16, Wirtschaftsakademie Schleswig–Holstein, 5 June 2018, EU:C:2018:388, para. 36.

  26. Case C-40/17, Fashion ID, 29 July 2019, EU:C:2019:629, paras. 76–78. However, Hanloser (2019) rightly points out that Fashion ID cannot exercise any influence over the transmission of data, as after data has been collected by the plugin, it is automatically transferred to Facebook Ireland.

  27. Cf. also Case C-40/17, Fashion ID, Opinion of AG Bobek, 19 December 2018, EU:C:2018:1039, para. 93; Mahieu et al. (2019), p. 97.

  28. See Case C-210/16, Wirtschaftsakademie Schleswig–Holstein, 5 June 2018, EU:C:2018:388, paras. 26–28.

  29. Ziegenhorn and Fokken (2019).

  30. Cf. Edwards et al. (2019).

  31. See the right of access, Art. 12 DPD and Art. 15 GDPR.

  32. According to Art. 26 GDPR, they have to conclude a joint controllership agreement. Irrespective of the terms of the arrangement, a data subject may exercise her rights in respect of and against each of the controllers; Art. 26(3) GDPR.

  33. Case C-40/17, Fashion ID, 29 July 2019, EU:C:2019:629, para. 70. By way of example, the responsibility of Fashion ID for data processing is greater with regard to natural persons who are not members of the social network Facebook; ibid., para. 83.

  34. Ibid., para. 74.

  35. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31 July 2002.

  36. The Commission submitted that the question on legitimate interests is irrelevant as all the data in question falls under the e-Privacy Directive (in which case legitimate interests cannot be invoked as a legal ground for processing). Furthermore, according to AG Bobek, the discussion at the hearing was ample; Case C-40/17, Fashion ID, Opinion of AG Bobek, 19 December 2018, EU:C:2018:1039, paras. 113, 115.

  37. The second option, namely that data transfers are strictly necessary for the provision of an information society service explicitly requested by the user, in which case consent is not needed, is not applicable in the case at hand.

  38. Case C-40/17, Fashion ID, 29 July 2019, EU:C:2019:629, para. 91.

  39. The GDPR equivalent is Art. 6(1) lit. f).

  40. On the application of the balancing test in data-related constellations, see Kathuria and Globocnik (2019), pp. 24–27.

  41. Kathuria and Globocnik (2019), pp. 24–25. See also Case C-40/17, Fashion ID, Opinion of AG Bobek, 19 December 2018, EU:C:2018:1039, paras. 122–123.

  42. See Art. 6(1) lit. f) and Recital 38 GDPR.

  43. Case C-40/17, Fashion ID, 29 July 2019, EU:C:2019:629, para. 100.

  44. Ibid., para. 101.

  45. Ibid., para. 102. By stating that consent always has to be obtained prior to data processing, the Court seems to have declared Sec. 15(3) of the German Telemedia Act (Telemediengesetz – TMG) which in some situations allows an ex post consent, incompatible with EU law; Kremer (2019). AG Szpunar has voiced similar concerns in the Planet49 case; Case C-673/17, Planet49, Opinion of AG Szpunar, 21 March 2019, EU:C:2019:246, para. 109.

  46. This is a consequence of the limitation of the webpage operator’s controllership to merely data collection and transmission; see Part 3.2, supra. In order to fulfil its obligations to inform and to obtain a sufficiently granular and informed consent, the webpage operator will have to gain information on the exact functioning of the often opaque plugins; Dannapel (2019).

  47. Indeed, the webpage operator could also obtain consent for subsequent processing operations in the name of the plugin provider. However, this is a compliance risk it will unlikely run.

  48. In the proceedings, the Commission submitted that the DPD does not specify to whom consent must be given; Case C-40/17, Fashion ID, Opinion of AG Bobek, 19 December 2018, EU:C:2018:1039, para. 79. Indeed, in order not to stifle innovation in such a fast-moving field, it would have been advisable to leave the final choice as to the means of obtaining consent to the involved controllers.

  49. This could for example be achieved with a cookie overlay blocking the loading of the webpage until consent is given, or by using a landing page or an obligatory registration prior to loading of the affected webpages; Kremer (2019). Further, an option could be considered according to which consent would be given to Facebook Ireland already upon creating a social media account, and the “Like” button would only be shown to webpage visitors who have previously registered (and thus given consent) on Facebook. The Commission noted at the hearing that partially, this might already be the case; Case C-40/17, Fashion ID, Opinion of AG Bobek, 19 December 2018, EU:C:2018:1039, para. 137. However, given the quantity and the variety of pages embedding “Like” buttons, it is not apparent how such consent would meet the standards for informed consent; cf. Buchner and Kühling (2018), Art. 7 paras. 61–63.

  50. In the two-click solution, the visitor first has to enable the plugin. Before doing so, no data is collected and transferred to the plugin provider. In a second step, the visitor can “like” the content; Schmidt (2011). However, this solution will only be compliant with data protection law if accompanied by the requested information and a sufficiently precise consent clause.

  51. Briegleb (2014).

  52. Case C-40/17, Fashion ID, 29 July 2019, EU:C:2019:629, paras. 103–105. For the information to be provided to webpage visitors, see Art. 10 DPD and Art. 13 GDPR. It has to be borne in mind that these responsibilities apply every time data is collected from the data subject, and not only when it is collected based on consent.

  53. See Case C-210/16, Wirtschaftsakademie Schleswig–Holstein, 5 June 2018, EU:C:2018:388.

  54. See Case C-40/17, Fashion ID, 29 July 2019, EU:C:2019:629.

  55. Cf. Hanff (2018).

  56. See, for example, Case C-498/16, Schrems, 25 January 2018, EU:C:2018:37.

  57. See Case C-210/16, Wirtschaftsakademie Schleswig–Holstein, Opinion of AG Bot, 24 October 2017, EU:C:2017:796, para. 74.

  58. Thus far, only requests for preliminary rulings from German courts have reached the CJEU.

  59. For a detailed analysis of the case, see Botta and Wiedemann (2019), pp. 437–442.

  60. German Federal Cartel Office, B6-22/16, Facebook, 6 February 2019, paras. 639 et seq., 727 et seq.

  61. Ibid., paras. 871 et seq.

  62. Ibid., para. 777. Using the term voluntary consent is rather odd given that the GDPR uses the term freely given; Botta and Wiedemann (2019), p. 439.

  63. Düsseldorf Court of Appeal, VI-Kart 1/19 (V), 26 August 2019.

  64. Recital 15 GDPR.

  65. See, especially, the decisions in Cases C-210/16, Wirtschaftsakademie Schleswig–Holstein, 5 June 2018, EU:C:2018:388 and C-25/17, Jehovan Todistajat, 10 July 2018, EU:C:2018:551.

  66. Cf. Case C-40/17, Fashion ID, Opinion of AG Bobek, 19 December 2018, EU:C:2018:1039, para. 52. It also has to be borne in mind that the judgment does not only affect website operators, but e.g. also mobile app providers; Kremer (2019).

  67. Dannapel (2019); Kremer (2019). Cf. also State Commissioner for the Protection of Data and Freedom of Information Rhineland-Palatinate (2019).

  68. This service is widely used. From its launch in 2010, the fonts have been retrieved more than 31 trillion times; Google (2019). Alternatively, the webpage operator can host the fonts on its own server, thereby overcoming data protection concerns. However, this might slow down the webpage; Webdesign Journal (2019).

  69. Tene (2013), p. 1219.

  70. Cf. Edwards et al. (2019).

References

Download references

Author information

Authors and Affiliations

  1. LL.M. Eur. (Munich); Junior Research Fellow, Max Planck Institute for Innovation and Competition, Munich, Germany

    Jure Globocnik

Authors
  1. Jure Globocnik
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jure Globocnik.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

The author is grateful to Klaus Wiedemann and Moritz Sutterer for their valuable comments and suggestions. Any errors remain mine.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Globocnik, J. On Joint Controllership for Social Plugins and Other Third-Party Content – a Case Note on the CJEU Decision in Fashion ID. IIC 50, 1033–1044 (2019). https://doi.org/10.1007/s40319-019-00871-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s40319-019-00871-4

Keywords

Search

Navigation