Decision makes websites and Facebook jointly responsible for collecting user data via ‘Like’ button plugins, potentially meaning ‘serious repercussions’
Websites using Facebook’s “Like” button are liable for the user data they pass along to Facebook under European law, according to the EU’s highest court.
The judgement by the EU Court of Justice involves Fashion ID, a German online retailer that was accused of violating EU law by its use of the embedded Like plugin.
A German consumer body said the use of the plugin broke data protection laws as it was collecting information on the site’s users.
A German court sought guidance, and ECJ judges have now said that websites share joint responsibility for the data with Facebook, with both being a “data controller”.
EU data protection laws define a data controller as a party that determines why personal data is collected and processed, while a data processor typically processes the information on behalf of the controller and is generally a third party.
“The operator of a website that features a Facebook ‘Like’ button can be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website,” the ECJ said.
The court noted that the retailer benefited commercially from the Like button as it made its products more visible on Facebook.
But it said the retailer is not responsible for the way Facebook processes the data.
Facebook said the ruling, which can’t be appealed, provides clarity on the issue.
“We are carefully reviewing the court’s decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law,” said Facebook associate general counsel Jack Gilbert in a statement.
The case predates the introduction of the GDPR last year, but the decision remains relevant under the new rules, industry watchers said.
It raises significant questions for third-party websites, potentially exposing them to liability involving their use of social media plugins to collect user data.
Belgium’s data protection regulator said last year that a decision giving sites joint responsibility for data could have “serious repercussions” for the third-party sites.
Nils Rauer, a partner at law firm Pinsent Masons, said the ruling would be likely to make sites more cautious about embedding plugins, although he said they are likely to remain popular.
“Presumably, they will pay more attention to the embedding process, by way of obtaining dedicated data privacy advice,” Rauer told Reuters.