EU courts confirm website owners are responsible for plug-ins on their sites
Published on Thursday, August 8, 2019 - 09:43 by Camilla Winlo
The Court of Justice for the European Union (CJEU), has been considering a case which looks into who is responsible for the collection and processing of personal data when a third-party button is placed on a website.
GDPR’s Article 80 means that certain third-parties can complain on behalf of data subjects regarding acts that indicate a breach of GDPR compliance. Verbraucherzentrale is one of these organisations.
Verbraucherzentrale complained that Fashion ID had placed the Facebook Like button on their website, which transmitted data to Facebook when the page was loaded - even if visitor didn’t click on the link.
The organisation said this act breached the GDPR because data was being transferred to Facebook without the individual’s knowledge, or consent, and they didn’t have any control over it.
CJEU was asked to make a preliminary decision about who is responsible for the data captured and transferred by the Facebook Like button – in this case, Fashion ID or Facebook?
In July 2019, the court decided that Fashion ID and Facebook Ireland were joint controllers.
It said that Fashion ID was a controller because it decided whether to include the button on its website, and equally Facebook was a controller because it decided how the button worked, and subsequently what happened to the data once it was collected via the button.
Implications of the decision
Whilst the ruling is not particularly surprising, it does confirm that website owners are responsible for what happens on their sites and for ensuring that they comply with the GDPR: you can’t include third-party content and assume that the third-party in question is responsible for it.
This means that, before you add third-party content to your website, you need to ensure you know how it works and what it’s going to do. You’ll need to establish that there is a lawful basis for processing, and that your website visitors are fully informed on how their data is processed - and by whom.
The wider implications of this decision mean a DPIA will most likely need to be completed, and the necessary controls implemented, before third-party content can be added to a website.
What should organisations do now?
It’s worth questioning whether Fashion ID got enough value from including the Facebook Like button versus the time, costs and management distraction of the lengthy court case it has caused.
We’ve seen examples of websites that list dozens of third-party data recipients in their cookie information, along with organisations that have conducted cookie audits and discovered data transfers happening on their websites that they didn’t even know about.
We have also talked to organisations that simply don’t have the skills in-house to truly understand how third-party content works. However, it’s now well-established that data can only be processed when an organisation can protect it appropriately given the risks.
We recommend that organisations should firstly consider whether they understand how third-party content works on their website, and then does the business benefit justify the costs of any further investigations that may need to take place because of it.
Organisations should either then remove the content, and ask for data to be deleted by the recipients as appropriate, or ensure that their website visitors are fully informed about it. They absolutely must be able to exercise control in accordance with the law.