EU says that websites with Facebook Like buttons are liable for private data sharing
The fingers of Facebook have spread like a cancer across the internet. Even people who have made the conscious decision to boycott the network find it near-impossible to completely avoid its reach thanks to the prevalence of Like buttons.
Now the Court of Justice of the European Union has ruled that websites with embedded Like buttons can be held responsible for the transmission of data to Facebook. This is a particularly important ruling due to the fact that Like buttons can be used to share information about site visitors without the need for the button to be clicked.
- Fewer than three percent of people say they would try Facebook Libra for payments
- FTC to fine Facebook $5 billion for Cambridge Analytica privacy violations
- Facebook will pay you to gather information from you
The EU ruling means that sites with Like buttons could find that they are -- almost inadvertently -- breaching GDPR privacy rules. The ruling states simply that "the operator of a website that features a Facebook 'Like' button can be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website". However, it goes on to say that "by contrast, that operator is not, in principle, a controller in respect of the subsequent processing of those data carried out by Facebook alone".
The European ruling came following an investigation into a German clothing retailer, Fashion ID, which was sharing data with Facebook though embedded Like buttons. Sharing details of its decision, the court said:
In its judgement delivered today, the Court finds, first, that the former Data Protection Directive does not preclude consumer-protection associations from being granted the right to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data. The Court notes that the new General Data Protection Regulation now expressly provides for this possibility.
The Court holds, second, that it appears that Fashion ID cannot be considered to be a controller in respect of the operations involving data processing carried out by Facebook Ireland after those data have been transmitted to the latter. It seems, at the outset, impossible that Fashion ID determines the purposes and means of those operations.
By contrast, Fashion ID can be considered to be a controller jointly with Facebook Ireland in respect of the operations involving the collection and disclosure by transmission to Facebook Ireland of the data at issue, since it can be concluded (subject to the investigations that it is for the Oberlandesgericht Düsseldorf to carry out) that Fashion ID and Facebook Ireland determine jointly the means and purposes of those operations
Importantly, the court also decided that Fashion ID needs to obtain consent from visitors to the site before it shares data with Facebook:
The Court makes clear that the operator of a website such as Fashion ID, as a (joint) controller in respect of certain operations involving the processing of the data of visitors to its website, such as the collection of those data and their transmission to Facebook Ireland, must provide, at the time of their collection, certain information to those visitors such as, for example, its identity and the purposes of the processing.
The Court has also provided further information in respect of two of the six cases provided for in the directive in which the processing of personal data can be considered lawful.
Thus, with regard to the case in which the data subject has given his or her consent, the Court holds that the operator of a website such as Fashion ID must obtain that prior consent (solely) in respect of operations for which it is the (joint) controller, namely the collection and transmission of the data.
Facebook responded to the ruling in a statement given to TechCrunch:
Website plugins are common and important features of the modern Internet. We welcome the clarity that today's decision brings to both websites and providers of plugins and similar tools. We are carefully reviewing the court's decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law.