A large number of websites nowadays contain so-called “like” or “share” buttons: promotional features that connect products to popular social networking sites. Following a preliminary ruling from the German Oberlandesgericht Düsseldorf, the European Court of Justice (“ECJ”) clarified on 29 July 2019 the liability in terms of data protection for websites placing such like buttons (C-40/17).
The ECJ ruled in a case initiated by a consumer association against the German fashion retailer Fashion ID, which had embedded the Facebook like button on its website. In its decision, the ECJ followed the opinion of Advocate-General Bobek.
In the present case, the ECJ brings some clarification to several provisions of the former Data Protection Directive 1995 (which remains applicable to this case, but has now been replaced by the General Data Protection Regulation, the so-called GDPR). The ECJ stated that Fashion ID, together with Facebook, is responsible for the collection of the data in question and its transmission to Facebook, since both parties agree on the purpose and the means of achieving it. Consequently, according to the ECJ, websites will be deemed to be controllers within the meaning of the GDPR simply because of the placement of a like or share button. The button sends personal data of visitors to Facebook, without those visitors being aware of that and regardless of whether or not they are a user of Facebook or have clicked on the like button, according to the ECJ.