On 19 December 2018, the Advocate General (AG) delivered an opinion in a case concerning Fashion ID and Facebook, which considered the parties’ status as joint controllers, under the Data Protection Directive 95/46/EC (DP Directive), when a social plug-in had been embedded.
Fashion ID’s website inserted Facebook’s ‘Like’ button as a plug-in, allowing personal data, such as the user’s IP address and browser journey, to be transferred to Facebook regardless of whether the user clicked on the Facebook Like button. A consumer protection association brought a claim against Fashion ID, arguing that the use of the Facebook Like button was a breach of data protection laws.
The AG’s opinion focuses on four main areas. The first proposal within that opinion is that the DP Directive did not preclude national legislation granting standing to public service associations for them to protect consumers. The remaining three proposals are discussed further below.
The AG’s opinion proposes that both Fashion ID and Facebook should be considered joint controllers of the personal data. Fashion ID is a joint controller as it caused the collection and transmission of user personal data by inserting the plug-in. The AG determined that both parties “co-decide on the means and purposes of the data processing at the stage of the collection and transmission of the personal data”. The fact that Fashion ID was unable to influence subsequent processing was not a key factor in the AG making this determination.
Saying that, the AG’s opinion does limit the liability of joint controllers to “those operations for which it effectively co-decides on the means and purposes of the processing”. Liability of a joint controller should not spill over into subsequent stages of processing that are outside of its control and knowledge.
The AG considered whose legitimate interests should to be taken into account when considering relying on “legitimate interests” as a legal basis for processing. Should the court consider the legitimate interests of the party who embedded the material (Fashion ID) or the third party (Facebook)?
The AG’s opinion proposes that both parties’ legitimate interests should be taken into account, since both parties are controllers. The legitimate interest(s) established in respect of both parties must then be balanced against the rights of the individuals concerned.
On the particular facts, the consent of the user should be given to the website provider, Fashion ID, since the visit to the website is the trigger for the processing operation. This is irrespective of whether the individual already has a Facebook account and has already provided Facebook with consent for processing activities.
Consent must be given before personal data is collected and transferred.
The opinion offers welcome guidance on topical joint controller discussion points. Among other things, the opinion widens the application of joint controllership. Although the case focuses on the interpretation of the DP Directive, this interpretation will continue to apply when considering the application of the General Data Protection Regulation 2016/679. The impact of this, however, is limited, as a joint controller will only be liable for the processing activities that it has an element of control over.
The judges of the Court of Justice have started their deliberations. They are not bound to follow the opinion of the AG, but the AG’s opinion is often very influential.