The next target of the Court of Justice of the European Union: Social media plug-ins?
On Monday next week, the Court of Justice of the European Union (CJEU) is due to hand down its ruling in yet another pivotal case surrounding joint controllership under the GDPR. It appears likely that the Court will, if it follows the tack of the Advocate General, hold social media plug-ins and advertising banners to be under the joint control of the website owner and the respective third party providing the content. This appears to be yet another watershed moment for joint controllership under the GDPR after two landmark rulings on the same issue in 2018. It would have wide-ranging effects for the design and functioning of the vast majority of websites, as well as the very concept of joint controllership itself.
Frequently, website owners incorporate third party content into their websites which, in turn, causes the collection and processing of the personal data of visitors to that webpage, in particular through the placing of a cookie on the visitor's internet browser. Social media plug-ins such as 'like buttons' are a typical example of embedded third party content. In order to increase their internet presence, most website owners link their social media fan page to their website with a social media plug-in. Depending on the way the plug-in is embedded, the personal data of visitors to a website can be sent directly to the owner of the social media platform at the moment the website visitor accesses the website. The visitor does not need to click on the 'like button' first. Owing to the complicated relationship between website owners and the third parties, it is important to clarify which of the parties is the controller for the purposes of the collection and processing of the personal data which is affected by the placing of the third party content or the plug-in on the website. The issue of liability for breaches of data protection law, as well as to whom a data subject can turn to exercise their rights under the GDPR needs to be clarified as a matter of priority. It is just such a case which the CJEU has been called upon to decide.
Throughout 2018, the CJEU already handed down rulings on two seminal cases pertaining to joint controllership. Although these cases were concerned with the interpretation of the predecessor to the GDPR, the 'Data Protection Directive' (Directive 95/46/EC), they remain a clear indication of the approach likely to be taken when construing the GDPR, given the near identical definition of 'controller' under Art. 2 (d) Data Protection Directive and Art. 4 Nr. 7 GDPR as 'the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data […]'. The CJEU took a broad approach to the establishment of joint controllership, holding joint controllership to be established between Facebook and owners of Facebook 'fan pages' even where the owners of the fan page did not receive access to the personal data. It further considered the organisation and coordination of door-to-door preaching and the collection of personal data by the Jehovah's Witness religious community to suffice to ground a joint controllership.
Judgement due: Fashion ID
The present case concerns the embedding into websites of social media plug-ins which collect personal data from visitors to those sites. Advocate General Bobek provided his Opinion to the Court in December 2018, arguing that where third party content is embedded by a website owner into its website, thereby causing the collection of personal data, the website owner and the third party ought to be considered joint controllers. The Advocate General argued that the website owner and the third party had a unity of purpose: a "commercial and advertising purpose".
However, he did attempt to row back some of the effects of the Court's 2018 jurisprudence relating to joint controllership, arguing that the website owner's "(joint) responsibility is limited to those operations for which it effectively co-decides on the means and purposes of the processing". The Advocate General argues that the two parties are joint controllers with regard to the collection and transmission of the personal data, but not for any further processing operations.
Potential effects of the decision
Though the CJEU is not bound to follow Advocate General's Opinion, it tends to follow it in the majority of cases. If it were to do so in the present case, the effects for Websites of all kinds would be wide-ranging. The most immediately noticeable effect for website owners would be the requirement to conclude a joint controller agreement with third parties whose content they embed in their website. Though this may be perfectly practical in some cases, such as when embedding analytics tools (e.g. Google Analytics) into a website, it is not feasible in all cases. Providers of third party content would have to ensure they make joint controller agreements easy to access and conclude, as well as expand the availability of alternatives which do not collect a cookie when embedding. One such alternative is YouTube's "nocookie" domain which allows the embedding of a video without placing a cookie.
Further difficulties could arise from the often vastly imbalanced negotiating power between the two sides – if the third party fails to provide an agreement or provides one which is inadequate for the purposes of the GDPR then it will be very difficult in practice for the website owner to seek appropriate changes to this agreement. This could leave website owners faced with a 'take it or leave it' scenario, leaving them open to fines if they continue to embed the relevant third party content.
Website owners would also have to adapt their privacy policies to reflect their status as joint controller. Additionally they would have to adjust the information they provide when collecting consent for processing the personal data. If they fail to do so, they will not be collecting "informed consent", potentially causing a multitude of legal and liability issues. As a joint controller they will be unable to plead ignorance and will not be able to shift blame for their lack of knowledge onto the third party.
If you have any questions on this topic, do not hesitate to contact Laureen Lee.