1. Facebook never ceases to be under the spotlight
This could be promising, but these remarks need to be moderated in a half-tone. Facebook, through its CEO Mark Zuckerberg continues to be in the limelight. With its announcements on new features, the social network wants to further expand its position on the market including the launch of its own cryptocurrency (Libra) and a new feature – still in the testing phase – allowing the management of personal data recovered outside the social network.
Recently, we learned that Facebook used microphones of our connected devices to listen to its users. There was also the Cambridge Analytics scandal, which resulted in a 5$ billion fine for Facebook.
2. Joint liability and Facebook’s “Like” button on an e-commerce website
This is a new controversy that interest us all.
The latter, which affects – but this time indirectly – the social network Facebook, is on the front page of the specialized press.
This new case aims to determine who is the controller when Facebook’s “Like” button is present, and it is up to the judges of the CJEU Court of Justice of the European Union to interpret it.
Although pronounced under the empire of the old right, the CJEU will be part of the reinforced protection of the rights of the natural persons movement started by the GDPR, and it is what will highlight within this judgment.
3. Judgment of 29 July 2019, Court of Justice of the Union, 2nd Chamber
The whole question of this case is who really collects personal data on an e-commerce website, and who is liable when the “Like” button of Facebook is present on a website.
Thus:
That being said, most websites use today this button on their pages: that is the reason why this decision was so awaited.
For the case, in 2016, a German consumer association (Verbraucherzentrale NRW) lodged a complaint against an online e-commerce site (Fashion ID) in the German courts. The latter used the presence of Facebook’s “Like” button directly on their website, suggesting potential users to “like” the Facebook page of the e-commerce website.
The complaint was clear: the supposed sending of data to Facebook without consent directly through this “Like” button, and the discord that it generated. This discord it’s especially to protect us. Indeed, the consent makes possible to understand the treatment that will be made of the collected data, to choose whether or not to accept the treatment, and finally to be able to freely change your mind.
But, what was criticized to the e-commerce website is that the user was not warned that there was not one, but two controllers: namely Fashion ID at first, and Facebook in a second.
Thus, the German courts, on the basis of Articles 256 and 267 TFEU, used the mechanism of the preliminary question, asking the Court to interpret Articles 2, 7, 10, and 22 to 24 Directive 95/46 / EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free circulation of such data. This interpretation aims to know the data controllers when Facebook’s “Like” module is integrated into a web page.
The ECJ sets out its answer in a recital 75.
In essence, it follows from this recital and from this decision that Fashion ID – having inserted the “Like” button of Facebook – offered the possibility to Facebook to obtain the personal data of visitors to their site just by consulting , without necessarily being previously registered on the social network, and even without clicking on the “Like” button, and especially without being aware of such data collection operation.
4. The assertion of the joint liability principle
The key element that will emerge from this case is the joint liability. The joint liability for treatment, a concept embodied in the GDPR in Article 13, is only a continuation of the recommendations made by the former G29, now the EDPS, in a January 2010 opinion.
The EU judges considered that Fashion ID, the e-commerce site, was responsible for the processing of the transfer of data to Facebook and must therefore respect the principles and obligations related to the collection of personal data of visitors to his site. But it is here that the whole nuance of this affair makes sense: the responsibility is shared.
The latter is shared between two treatment managers: Fashion ID who uses the “Like” button of Facebook, and Facebook thereafter, who is co-responsible for the processing of data implemented.
A clarification is still to add: the CJEU felt that the e-commerce website Fashion ID was not liable for the subsequent processing of the data transmitted to Facebook, but Facebook would be the sole responsible for this later use. Therefore, it would have been necessary for the website to collect the “informed” consent of the visitors, informing them logically that a subsequent treatment would follow: the transmission of the data to Facebook by Fashion ID.
5. The issue of free and informed consent is back
It is also on this issue of informed consent that this case is on.
The question is about what the website can potentially ask to the user – roughly: a consent, what for?-.
The Court answer – more or less clearly – to this question, explaining that upon arrival of a user on the said website, the website should inform him that it collects data on its behalf, but that the presence of Facebook’s “Like” module, the social network also obtains.
Therefore, it would be necessary that the request for consent comes from the website and informs that the information will be transmitted to Facebook simply because of the presence of the like button. In addition,in order to consider free the user’s consent to this data transfer, which purpose is commercial prospecting, the website must provide a solution to prevent such sharing of data, in the event of a refusal by the user.
The GDPR, which impact is no longer needed to mention in Europe but also across the Atlantic, indicates in Articles 4 and 7 the applicable conditions to consent. In France, the national regulation authority, states in particular that consent must be free, specific, clear and unambiguous; the main impact of the GDPR in France was to establish and consolidate what was already included in the 1978 Computer and Freedom Act, amended in 2004, with Articles 4 and 7.
The scope of this decision must be specified: all websites with a “Like” button will not be impacted. Indeed, the Court will particularly blamed in recital 80 that Fashion ID website only uses this module for commercial purposes. It is thus possible to assume that many websites that use it for another purpose could retain the “Like” button without worry, relying on a different legal basis than consent. The information provided by article 13 of the GDPR will however remain a mandatory action.
Several questions remain unanswered. And this judgment is already under fire from critics, including Bitkom, the German federation representing net companies who denounce a huge responsibility to websites.
It will be interesting to see the possible consequences of this decision, including the potential attitude that the French Commission Authority will adopt on this subject.
The latter has the possibility to carry out online checks of the compliance of controllers, without prior information from them.
For e-commerce sites, they could, for example, specify in their privacy policy that there will be a collection of data that will be transmitted to the social network, or that there will be two controllers collected data.
References:
https://curia.europa.eu/jcms/upload/docs/application/pdf/2019-07/cp190099fr.pdf
https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A32016R0679
https://eur-lex.europa.eu/legal content/FR/TXT/?uri=celex%3A31995L0046
By Andrea Biagiotti