The ECJ has ruled on the legality of Facebook's "Like" button

Prehistory

Fashion ID operates the website of the Düsseldorf fashion house Peek & Cloppenburg and had integrated Facebook's "Like" button on the website. The Consumer Advice Centre NRW considered this to be a breach of data protection, as the integration automatically resulted in the transfer of data to Facebook. In the opinion of the consumer advice centre, the necessary consent for the transfer of data to Facebook was therefore lacking. The case is still being decided under the old data protection law, but since the term "controller" is very similar in both laws, the ruling will also be relevant under the GDPR.

Today, many websites contain plugins from third-party providers, including not only the "Like" button, but all buttons from social networks. However, other plug-ins - such as Google Maps - can also be included, provided that data is exchanged. It has also been shown that personal data of visitors to the website are also collected and forwarded to Facebook who were not Facebook users at all. Furthermore, it was irrelevant for the data transfer whether a visitor to the website clicked the "Like" button or not.  

The ruling therefore potentially affects a large number of websites, as the integration of such plug-ins is now very widespread. If a Swiss company is subject to the GDPR, it is also affected by the ruling and should review its websites (the criteria for determining the applicability of the GDPR can be found here).

Verdict

From the press release on the ECJ ruling, it can be seen that although Fashion ID is not "responsible for the data processing operations carried out by Facebook Ireland after the transfer of the data to it", Fashion ID is to be considered jointly responsible with Facebook Ireland for the operations carried out in the course of the collection and their transfer by transmission to Facebook Ireland. Fashion ID thus jointly decided with Facebook Ireland on the purposes and means of data processing. For companies, at least the first finding should provide relief, since at least there is no joint responsibility for further data processing by Facebook.

Furthermore, it is explained that Fashion ID was able to increase the visibility of the products on Facebook by using the "Like" button and thus both parties derive an economic advantage from the data processing or Fashion ID accepted that Facebook received personal data from the visitors.

"The Court emphasises that, for certain operations of processing the data of visitors to its website, such as the collection of the data and their transmission to Facebook Ireland, the operator of a website such as Fashion ID must, as (co-)controller, provide those visitors with certain information at the time of collection, such as its identity and the purposes of the processing."

However, the website operator only has to inform about the means and purposes for which he is also responsible and about which he can decide. The same applies to obtaining consent.

As a result, it is clear that the solution assessed here does not guarantee sufficient data protection and such plug-ins must therefore be adapted accordingly.

Measures for action

In order to distribute content on various social networks, social plug-ins represent an important marketing tool for a company and therefore hardly any company will want to do without such tools.

As a company and website operator, it is now necessary to check whether comparable plugins are used on one's own website. As already mentioned above, the ruling is probably not limited to the Facebook "Like" button; comparable plug-ins may also be affected. For all companies that have not yet implemented a data protection-friendly solution, adjustments must now be made. In future, the website operator must point out that data is being collected and transmitted. One possibility would be to introduce a pop-up warning, as is already known from cookies, in which reference would be made to the corresponding information in the data protection regulations. Of course, the plug-in must not be activated beforehand or data must not be delivered to a social network. However, such a variant seems to be somewhat cumbersome and would probably lead to the same symptoms of fatigue as with the tiresome cookie banners.

Another variant that has so far been recognised as a legally secure solution is the "two-click solution". With this solution, data is only exchanged when the visitor activates the button with a click and only then can content be shared. Bitkom also seems to prefer and recommend this solution.

An alternative solution is the Shariff solution, where the user remains invisible as long as he does not click on the button/link. A script for this solution can be found on Github.

In addition, the privacy policy must be formulated according to the chosen solution and links to the corresponding information and privacy policy of the social networks must be provided. Various sample clauses can be found here.

This article was written by RA Yves Gogniat.

If you have any questions regarding data protection law, please do not hesitate to contact Balthasar Wicki.