On 29 July 2019, the Court of Justice of the European Union (CJEU) issued a decision in the Fashion ID case, a case referred to it by a German court. In this blog post we will focus on what this case means with regard to joint controllership when you have social media plug-ins on your website. To go directly to the section on the implications of this case, please click here.

Background to the Fashion ID case

The Fashion ID case was brought before the CJEU by means of a reference for preliminary ruling by the Higher Regional Court of Düsseldorf, Germany (Oberlandesgericht Düsseldorf).

The national case concerned a dispute between GmbH & Co. KG and Verbraucherzentrale NRW eV about Fashion ID’s embedding of a social plugin provided by Facebook Ireland Ltd on the website of Fashion ID.

The case was referred to the CJEU in January 2017, i.e., before the General Data Protection Regulation became applicable on May 25, 2018, and it was assessed with reference to the then applicable Directive 95/46. Nonetheless, the Court’s findings remain relevant.

Questions for preliminary ruling

In order to decide on the case, the Higher Regional Court of Düsseldorf referred the following questions to the CJEU.

  1. Do the rules in Articles 22, 23 and 24 of Directive [95/46] preclude national legislation which, in addition to the powers of intervention conferred on the data-protection authorities and the remedies available to the data subject, grants public-service associations the power to take action against the infringer in the event of an infringement in order to safeguard the interests of consumers?
  2. If Question 1 is answered in the negative: In a case such as the present one, in which someone has embedded a programming code in his website which causes the user’s browser to request content from a third party and, to this end, transmits personal data to the third party, is the person embedding the content the “controller” within the meaning of Article 2(d) of Directive [95/46] if that person is himself unable to influence this data-processing operation?
  3. If Question 2 is answered in the negative: Is Article 2(d) of Directive [95/46] to be interpreted as meaning that it definitively regulates liability and responsibility in such a way that it precludes civil claims against a third party who, although not a “controller”, nonetheless creates the cause for the processing operation, without influencing it?
  4. Whose “legitimate interests”, in a situation such as the present one, are the decisive ones in the balancing of interests to be undertaken pursuant to Article 7(f) of Directive [95/46]? Is it the interests in embedding third-party content or the interests of the third party?
  5. To whom must the consent to be declared under Articles 7(a) and 2(h) of Directive [95/46] be given in a situation such as that in the present case?
  6. Does the duty to inform under Article 10 of Directive [95/46] also apply in a situation such as that in the present case to the operator of the website who has embedded the content of a third party and thus creates the cause for the processing of personal data by the third party?’

Answers given by the CJEU

The questions for preliminary ruling were answered as follows:

  1. Articles 22 to 24 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as not precluding national legislation which allows consumer-protection associations to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data.
  2. The operator of a website, such as Fashion ID GmbH & Co. KG, that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor can be considered to be a controller, within the meaning of Article 2(d) of Directive 95/46. That liability is, however, limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue.
  3. In a situation such as that at issue in the main proceedings, in which the operator of a website embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, it is necessary that that operator and that provider each pursue a legitimate interest, within the meaning of Article 7(f) of Directive 95/46, through those processing operations in order for those operations to be justified in respect of each of them.
  4. Articles 2(h) and 7(a) of Directive 95/46 must be interpreted as meaning that, in a situation such as that at issue in the main proceedings, in which the operator of a website embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, the consent referred to in those provisions must be obtained by that operator only with regard to the operation or set of operations involving the processing of personal data in respect of which that operator determines the purposes and means. In addition, Article 10 of that directive must be interpreted as meaning that, in such a situation, the duty to inform laid down in that provision is incumbent also on that operator, but the information that the latter must provide to the data subject need relate only to the operation or set of operations involving the processing of personal data in respect of which that operator actually determines the purposes and means.

Implications of the case as regards joint controllership

The decision contains interesting clarification with regard to joint controllership that goes far beyond the specifics of the case and is relevant for the interpretation of the notion of a joint controller. Even though the case was assessed under Directive 95/64 it is relevant for the interpretation of the notion of joint controller under the GDPR. Indeed, the definition of controller under Directive 95/46 already referred to ‘joint’ determination of the purposes and the means, and the definition remains unchanged under the GDPR.

What we can take away from this decision is the following:

  • An entity can be considered a joint controller without having access to the personal data concerned.

Fashion ID argued that it could not be considered a controller as it does not have influence “either over the data transmitted by the visitor’s browser from its website or over whether and, where applicable, how Facebook Ireland uses those data.

The CJEU does not follow this argument. With reference to earlier case-law (C-210/16 and C-25/17) it states that “the joint responsibility of several actors for the same processing (…) does not require each of them to have access to the personal data concerned”.

This reasoning also applies to a single controller. Access to personal data is not a criterion to determine whether someone is a controller. The only relevant criterion is whether the entity determines the purposes and the means.

  • The liability/responsibility of the joint controller is limited to the processing activity for which it determines the purposes and the means and depends on the degree of involvement in the processing.

The CJEU recognizes that the degree of involvement of a joint controller may vary and that joint controllers are not necessarily involved in all stages of the relevant processing activity. As a consequence, the level of liability must be assessed on the basis of the specific circumstances of the case.

Furthermore, and this goes without saying, an entity will only be considered a controller, and hence be responsible/liable, for the processing activities for which it determines the purposes and the means. If the processing activity is part of a larger chain of preceding and subsequent processing activities for which the entity does not determine the purposes and the means, the entity will not be considered a controller for those preceding and subsequent processing activities.

  • Joint controllership may be inferred from a mutual commercial benefit in data sharing.

It appears that a mutual commercial benefit in data sharing may trigger joint controllership. In its decision, the CJEU expressly refers to the mutual commercial benefit of Fashion ID and Facebook: “As to the purposes of those operations involving the processing of personal data, it appears that Fashion ID’s embedding of the Facebook ‘Like’ button on its website allows it to optimise the publicity of its goods by making them more visible on the social network Facebook when a visitor to its website clicks on that button. The reason why Fashion ID seems to have consented, at least implicitly, to the collection and disclosure by transmission of the personal data of visitors to its website by embedding such a plugin on that website is in order to benefit from the commercial advantage consisting in increased publicity for its goods; those processing operations are performed in the economic interests of both Fashion ID and Facebook Ireland, for whom the fact that it can use those data for its own commercial purposes is the consideration for the benefit to Fashion ID”.

  • Each joint controller needs a legitimate ground for processing personal data.

It follows from the CJEU’s answer to the fourth question that both Fashion ID and Facebook need to demonstrate a legitimate interest. In other words, each controller in a joint controllership needs to have a valid legal ground for the processing activities performed as a joint controller. This makes perfect sense. The obligation only to process personal data on the basis of one of the legal grounds exhaustively listed in the law rests with the individual controller. There is no exception in the case of joint controllership.

  • Where consent is required, the joint controller who first enters into contact with the data subject must request consent. The same goes for the information required.

Where consent is required, it must be acquired before the start of the processing. Similarly, pursuant to the information requirement under Directive 95/64, the data subject must receive information about the processing of personal data at the latest at the time of collection of the personal data.

Given these time constraints, the consent and information requirements must be fulfilled by the joint controller who first enters into contact with the data subject. In the case at hand, this was the website operator, Fashion ID.

Under the GDPR, the roles and responsibilities having an impact on compliance with these requirements would typically need to be determined in the joint controller arrangement referred to in article 26.

Practical guidance for website operators using social media plugins

As you will be considered a joint controller with the provider of the social media plugins, it is recommended that you seek assurance regarding the provider’s GDPR compliance and ensure that:

  • Your privacy policy contains appropriate information on data collection and data sharing via the social media plugins;
  • You request consent where tracking mechanisms are used;
  • You comply with any terms and conditions of the social media plugin provider; and
  • The agreement with the social media plugin provider contains appropriate co-controllership arrangements.