CJEU delivers judgment in Facebook “Like” button case

9 August 2019

The Court of Justice of the European Union (CJEU) last week handed down its decision in a case concerning a German online clothing retailer’s use of the Facebook “Like” button. The retailer, Fashion ID, had embedded the Facebook tool on its website, enabling visitors to “like” content on the web and so share it on Facebook. The process, which involved the visitor’s personal data being transferred to Facebook Ireland, was criticised by a German consumer-protection organisation. In particular, the organisation criticised Fashion ID for collecting and transferring personal data without obtaining consent or providing information to the visitor about the data processing involved. The question referred to the CJEU centred on the extent to which Fashion ID could be held responsible for (i.e. be a controller of) that personal data.

The CJEU’s judgment found that – while Fashion ID could not be considered a “joint controller” of the processing which is carried out by Facebook Ireland once the transfer had taken place – Fashion ID was a joint controller with Facebook Ireland in respect of the initial collection and transfer to Facebook Ireland. The CJEU based this view on the fact that Fashion ID, alongside Facebook, was taking a commercial advantage from the arrangement by virtue of the promotion of its content on Facebook.

This decision was made under the former Data Protection Directive (now replaced by the GDPR). However, the decision is nevertheless instructive for website owners operating under the new regime. The Facebook “Like” button might previously have been viewed as something failing under Facebook’s responsibility, particularly where the website owner has very limited control over the operation of the button, or indeed any access to the personal data it collects. However, this judgment makes clear that a website owner is likely to be jointly liable under the GDPR for this initial collection and transfer. As such, website owners need to think about compliance with the GDPR, including both identifying an appropriate legal ground for that initial processing, and providing visitors with all the information they need to ensure fair and transparent processing.