CJEU: Website operators are "jointly responsible" for embedding social media or 3rd party code
1. Website and app operators are jointly liable with Facebook for violations of European data protection law
- If website operators embed Facebook’s “Like” button as a plug-in in the source code of their website, and if that plug-in subsequently transfers data of website users to Facebook and Facebook processes this data for its own purposes, then the website operators are jointly responsible with Facebook for compliance with European data protection legislation. In any case, if and insofar as user data was collected via this plug-in and transferred to Facebook, website operators are jointly liable with Facebook in the event of data protection violations.
- In addition, German consumer protection organisations such as the Federation of German Consumer Organisations (“vzbv”) have the right to bring actions for injunctive relief against data protection violations. In fact, not only does the General Data Protection Regulation (GDPR) not preclude a right on the part of consumer associations to bring an action, it expressly provides for this.
The ECJ’s judgment comes as no surprise, since it is in line with key decisions taken last year on data processing in the context of Facebook fan pages (ECJ “Wirtschaftsakademie”, C-210/16). Any party which actively embeds third-party programming code on its website or in its app and, by doing so, enables data processing by a third party, is also jointly responsible with that third party.
For the question of joint responsibility, it is irrelevant whether the website or app operator has access to the transferred personal data or not. This tightening of the law was already hinted at by the ECJ in 2018, in its ruling on data processing in missionary work by Jehovah’s Witnesses (ECJ “Jehovan todistajat”, C-25/17).
“Responsible” under data protection law means that both the website or app operator and Facebook each have to fulfil more than 60 obligations which the GDPR imposes on the party that determines the purposes and means of data processing. Whether this determination is made alone or together with the other party, does not change the fact that both share responsibility: in for a penny, in for a pound.
However, the ECJ has tried to limit these obligations. It takes the view that the website operator is no longer responsible under data protection law if the data has arrived at the data partner – Facebook – and is used there by Facebook for other purposes.
According to the court, this does not affect further liability under national law, e.g. civil contract law or tort law. If claims for injunctive relief and damages due to unlawful data processing are based on German tort law as violations of personality rights, then that law’s broad principles of attribution for accomplices and participants apply – and a website or app operator must also be liable beyond the mere transfer of the data to Facebook or other third parties for further violations by the latter. This is where a number of battles still need to be fought in the future. The January 2019 judgment of Dresden Regional Court on Google Analytics without IP masking with “anomymizeIp” would suggest that further disputes cannot be ruled out.
The ECJ reiterates that even in the case of joint data processing, each individual data controller must have its own legal basis. If this “joint controllership” is based on the balancing of interests clause in Art. 6(1) Sentence 1(f) GDPR, then the balancing of interests must also be carried out separately for each controller.
The operator of a website or app that uses third-party plug-ins must ensure that it itself is clearly and fully informed of all joint data processing and, if necessary, prior to collecting the personal data of the website or app user, that it obtains that user’s informed consent to disclose this data.
The ECJ explains (para. 104):
“In that regard, it follows from the wording of that provision that the controller [...] must provide, as a minimum, the information referred to in that provision [...].”
Under the GDPR, information for transparent data processing also includes special information for joint controllers pursuant to Art. 26(2) GDPR.
In the case of Facebook, the challenge lies in the fact that the company does not provide this information, or does not provide it in full. Without Facebook’s support, the site operator is currently unable to fulfil its obligations to provide information under the GDPR, but must at the same time be held liable for Facebook’s non-compliance.
The decision on the right of consumer associations to take legal action finally establishes legal certainty. A number of ongoing proceedings – which had been suspended until a decision was taken in the Fashion ID case – can now finally resume.
These include the “App-Zentrum” case at the Federal Court of Justice (ref. I ZR 188/17) and the collective privacy action brought against Facebook by the Verbraucherzentrale Sachsen at Berlin Regional Court (16 O 288/18), which should clarify the content and scope of information obligations in cases of joint controllership under Art. 26 GDPR.
Peter Hense, Attorney-at-Law and Head of Technology, Marketing and Data Protection Law at Spirit Legal:
“Reducing this to the ‘Like’ button and Facebook would prevent us from seeing the wider implications of the decision. It is about every snippet of programming code that a site operator embeds on a website or app. If that code causes data to be collected and passed on to third parties, and if those third parties use the data for the same purposes – such as advertising – then the site operator is also liable for handing over the data. The ECJ’s decision affects the very foundations of modern web design; websites are built according to a modular principle, with many in-house but also third-party building blocks. Anyone who has constructed their sites in this way is now in for a nasty surprise: you cannot simply outsource responsibility for your entire website or app construction project to third parties, but instead you must be accountable for all of your site’s bells and whistles. This applies to the ‘data botch’ of social media platforms just as much as it does to how web analytics tools extensively track site visitors and app users. People’s eyes tend to become particularly wide when we legal consultants explain that the industry giants Facebook, Instagram and YouTube have so far done little or nothing to make it easier for site operators to comply with European law. Against this background, there is only one consequence: to kick unreliable providers off of your virtual premises without further ado. Without pressure, nothing will change for the major providers.”
Tilman Herbrich, Privacy Expert and Advertising Technology Specialist at Spirit Legal:
“Website and app operators must now prepare themselves for the fact that the unchecked integration of third-party content will in future entail even greater liability risks than is already the case. If it hadn’t happened already, today finally put paid to the claim by many market players that users would simply get used to the mountains of third-party content, and that the courts would eventually legitimise the data processing that goes hand in hand with all this content. It is true that there is not yet any risk of a ‘tidal wave of official warnings’ due to the use of third-party plug-ins not conforming to data protection regulations – because today the ECJ has only confirmed the right of consumer associations to bring legal actions. However, we are likely to see a significant rise in reviews of third-party tools by regulators, and critical questions from website visitors and app users. The challenge will then be to provide clear and complete data protection information before processing starts, and to obtain consent from users which covers the integration of third-party plug-ins. I think there are still considerable obstacles in this respect, especially with apps. The extent to which the balancing of interests clause in Art. 6(1) Sentence 1(f) GDPR can represent a valid legal basis remains open for the time being – and will only be decided by the national courts on a case-by-case basis. But one thing is certain today: any consent granted to Facebook cannot establish legitimacy for subsequent processing outside the social network.”
Nicky Hoff, web designer and President of the Contao Association:
“Life just got more difficult for web developers and designers of content management systems. Many features that customers want can currently only be implemented using external plug-ins. But the plug-in providers often publish no or inadequate documentation regarding data protection and the data security of their technology. Website owners, and we service providers, are left to deal with many legal issues on our own. In many cases, we don’t know which data is transferred where, or when. Large companies in particular, such as Facebook, provide insufficient information about the transferred data. But data protection and data security are in our own interest, because we want to create reliable products. I would like to see all providers make the necessary adjustments and get a handle on their data processing and documentation.”
Checklist: Seven tips for website and app operators
1. Check your website or app for plug-ins, pixels, SDKs and third-party widgets.
Analysis tools like Webbkoll can be really useful when it comes to examining your own site.
2. Clarify whether the identified data recipients use the collected data for their own purposes
Purposes which are also in your economic interest. Whenever there is a mutual economic interest in the data, joint responsibility can be assumed. Do ut des-I give, so that you may give; both are liable for the data exchange transaction. Terms and conditions can be an indicator for this. Shared responsibility is likely with social media providers such as Facebook, Instagram and YouTube, with web analytics by third parties, and with remarketing or programmatic advertising.
3. Have you already concluded an agreement with these data recipients in accordance with Art. 26 GDPR?
If not, do so. Until then, you should deactivate the embedded code.
4. Check your insurance cover
Check your insurance cover (IT liability, public liability, cybersecurity insurance) to see whether it also covers risks arising from joint responsibility with third parties. Ask for proof of insurance from the other joint controllers.
5. Adapt the information on data processing
6. Check internal processes for risks
Since you as the data controller for your website or app are also obliged to comply with the rights of data subjects, check your processes. You can use the following questions to gauge the current risk:
- Can you yourself provide transparent information about the joint data processing by all of the joint controllers, such as Facebook?
- Do you have the option to erase or block data, or to instruct your data partners to erase or block data if it has been processed unlawfully?
- Do your data partners inform you of data breaches? Can you inform authorities and/or data subjects if a data breach has occurred with your data partners?
- Do you have recourse against your data partners if you have to answer for their misconduct?
Ideally, you should be able to answer “yes” to all four of the above questions.
7. Save money for possible fines
Weigh the economic benefits carefully against the legal and financial risks. While in 2018 companies could still point to a seemingly unclear legal situation, it is evident that no one will accept this as an excuse in 2020. If you consciously accept risks, then in the interests of prudence you should set aside reserves for potential fines. As Germany’s Federal Fiscal Court once put it: you are required to put money back in case “more reasons speak for it than against it” (judgment of the Federal Fiscal Court of 16 December 2014, ref.:VIII R 45/12, para. 28 in the linked decision), as you may be fined. If you have checked whether the use of certain plug-ins is possible without running any risks but are still unsure, then it is high time you started looking for alternatives to those data processing operations.