Like many digital players, Fashion ID inserted a Facebook “Like” button on its website. This plug-in automatically collects and transmits to Facebook the personal data of the website users, whether or not they click on the button, and whether or not they have a Facebook account. This process takes place without any control by the website operator. Arguing that users’ rights are being infringed, a consumer association brought an action before the German court in order to stop this infringement. On 20 January 2017, the competent trial court referred several questions for a preliminary ruling to the Court of Justice of the European Union (CJEU). The main question is whether the integration of this “Like” button is sufficient to make Fashion ID a ‘data controller’ (jointly with Facebook), for the purpose of Directive 95/46/EC of 24 October 1995, which has now been replaced by the General Data Protection Regulation of 27 April 2016 (GDPR).
Although the Court must rule on the notion of joint liability and the consequences of such liability in the light of Directive 95/46/EC, which has now been replaced by the GDPR. Both texts define the data controller in the same way. As a result, the scope of the CJEU decision will most likely go beyond the present case. Aware of the stakes involved in this future decision, Advocate General Michel Bobek, in his Opinion of 19 December 2018, expressed his support for joint liability between Fashion ID and Facebook.
In the past, the CJEU has already recognised the administrator of a Facebook page as a data controller who had freely chosen to host the page on Facebook and therefore could set up the statistical processing carried out by the social network (CJEU, “Wirtschaftsakademie”, 5 June 2018, C-210/16). The Court also said that this liability might be retained even if no direct processing is carried out by the page administrator (CJEU, 10 July 2018, “Jehovan”, C-25/17). The CJEU has therefore adopted a broad understanding of the notion of joint liability.
In his Opinion, Advocate General Bobek has invited the Court to reduce the scope of joint liability in order to better identify the liability of each involved. He considers that extending the notion of data controller to any third party allowing the processing in any way would actually dilute the liability, making the protection of individuals less effective. For this reason, he proposes to link the definition of data controller with the purpose of the processing operation, which must be unique in its means and purpose.
This approach requires splitting the processing into as many subprocesses as there are purposes to get to the part in which the website operator exercises effective control. This approach would limit the website operator’s liability to the processing phase for which he is actually responsible and would not include subsequent processing operations beyond his control. In this instance, Facebook and Fashion ID pursue a commercial and advertising purpose. Therefore, Facebook should be solely liable for processing operations carried out after the data collection, while Fashion ID’s liability would be limited to the collection and transmission of such data. However, this solution proposed by the Advocate General has several disadvantages.
Thus, reducing the notion of purpose to the functions of the processing, (i.e. the technical operations of collection), conceals the advertising purpose. However, users should be able to anticipate this. The processing cannot be examined as a whole and an analysis of its compliance with regard to the consequences for the persons concerned is not possible. In the end, adopting this narrow approach would exempt website operators from requiring the disclosure of information from their operating partners that would effectively inform users, because the different data controllers involved would not be required to know the processing operations carried out by their partners.
Indeed, a data controller could try to evade responsibility by arguing his actions did not cause damage and try to put blame on all others who have beeen held to be joint data controllers. Such presumption of solidarity could be considered if the provisions of Article 26 GDPR (requiring joint controllers to transparently determine responsibilities) are not met.
Moreover, the Advocate General does not address the question of cascading responsibilities. Indeed, in the case of multiple data controllers, a new division of the processing operation would have to be carried out under this solution. For example, if Facebook provides data to a partner, the company will have limited liability and it would be up to its partner to enforce the GDPR.
An extensive interpretation of joint liability in cascade would force operators to identify the relevant mechanisms for ensuring respect for the rights of individuals.
The choice of an extensive or restricted interpretation of joint liability now rests with the CJEU. Its decision is therefore highly anticipated since it will have a direct impact on website publishers and the protection of private individuals’ personal data.
Dreyfus assists its clients worldwide in their strategies to protect and defend their rights on the Internet. Do not hesitate to contact us!