Mag. Patrycja Gamsjaeger, LL.M.
Attorney at law in Vienna
According to the recent decision of the Court of Justice of the European Union (ECJ, C-40/17 Fashion ID) companies using Facebook "Like" buttons on their websites could be held liable for transmitting personal data to Facebook without user's consent.
The case was brought by a German consumer protection agency against an online clothing retailer, Fashion ID, which embedded the Facebook's "Like" button on its website. As a result the personal data of the website's visitors, such as the IP address, were sent to Facebook without the user's consent.
"It seems that that transmission occurs without that visitor being aware of it and regardless of whether or not he or she is a member of the social network Facebook or has clicked on the "Like" button." (ECJ Press Release).
The sued online clothing retailer benefited from using the "Like" button since it allowed the company to be more visible on Facebook. Thus, it helped the Fashion ID to "optimize the publicity for its goods". As a consequence according to the judges of the ECJ the clothing retailer "has at least implicitly consented to the collection and disclosure by transmission of the personal data of visitors to its website by embedding such a button."
Further, the Court stated that the operator of the website – such as Fashion ID - that embeds the Facebook's "Like" button can be a controller jointly with Facebook social network under EU data protection law (former Data Protection Directive 1995, replaced by the new General Data Protection Regulation of 2016, adopted last year). Both, the online retailer and Facebook "must provide, at the time of their collection, certain information to those visitors such as, for example, its identity and the purposes of the processing".
The Court made also clear that the operator of a website such as Fashion ID must obtain consent from the website user before transmitting her/his personal data to Facebook.
Finally the Court stated that "with regard to the cases in which the processing of data is necessary for the purpose of a legitimate interest (according to the EU data protection law) each of the (joint) controllers, the operator of the website as well as the provider of a social plugin, must pursue a legitimate interest through the collection and the transmission of personal data in order for those operations to be justified in respect of each of them."
The current decision of the Court of Justice of the European Union is very important to the consumers. It not only makes the collection and transmission of personal data by the website operators (using the Facebook's "Like" button) clear and visible.
It also has significant consequences for those companies commercially benefitting from using such social media plugins since they can now be held liable for the collection and transmission of the personal data of the users visiting their websites. The Court`s decision certainly underlines the importance of the General Data Protection Regulation of the EU.