The European Court of Justice (CJEU) is currently debating whether to enforce shared data protection responsibilities on websites that embed data-collecting widgets such as Facebook 'like' buttons.
An embedded Facebook Like button, among other commonly implemented widgets, can gather data such as IP addresses and browser identification strings just by the user loading the web page. Facebook is already considered a data controller but the result of a fresh case could wrangle the hosting website into sharing data protection responsibilities under GDPR.
Advocate General (AG) Michal Bobek argued on Wednesday that hosting websites should be considered as joint data controllers with the companies that own widgets.
General Data Protection Regulation (GDPR) Data protection principles Facebook hack: Three million EU users affected by breach
He believes that both website and widget owner appear to voluntarily cause the collection and transmission of the data for the purpose of processing. Although not identical, he argues there is a commercial and advertising purpose and benefit for embedding a social widget.
Therefore, with respect to the collection and transmission stage of the data processing, the website acts as a controller and is jointly liable alongside the widget owner, which in this case is Facebook.
The case in question is one involving Fashion ID, a German online fashion retailer and Verbraucherzentrale NRW, a German consumer group which brought an injunction against the retailer in 2015. The consumer group claimed that by placing a Facebook Like button on its site, Fashion ID was in violation of the EU's Data Protection Directive (DPD) of 1995.
In a regional court in Dusseldorf, Fashion ID lost the original case in 2016 but it has since appealed, with Facebook's backing, to a German higher court. That court has now sought advice on key questions from the CJEU.
The case concerns EU's 1995 DPD and not GDPR, which superceded it earlier this year when it came into effect. However, GDPR was based on a number of elements of the DPD 1995, including a provision for data controllers and processors, and therefore any decision in this case is likely to influence future rulings under the new regulations.
What is known is that as a result of an ECJ ruling in June 2018, Article 26 of the GDPR states that Facebook fan page operators are jointly responsible for the data protection of its users and must clearly let members and non-members of Facebook who visit the site aware that the owner and Facebook are both responsible for that user's data.
These fan pages don't strictly pertain to celebrities, they can be for things like restaurants which don't have their own website but still want to have an online presence and interaction with its customers.
Reports claim that complaints against Facebook could rise following a year of issues relating to its privacy policies. Just this week, reports emerged about a data-harvesting SDK, as well as a suggestion of location data tracking even after turning location services off, and an eye-opening data sharing agreement between Facebook, Spotify and Netflix.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
PowerEdge - Cyber resilient infrastructure for a Zero Trust worldWhitepaper Combat threats with an in-depth security stance focused on data security
-
Anticipate, prevent, and minimize the impact of business disruptionsWhitepaper Nine best practices for building operational resilience
-
Three steps to transforming security operationsWhitepaper How to be more agile, effective, collaborative, and scalable
-
Top ten ways to anticipate, eliminate, and defeat cyber threats like a bossWhitepaper Improve your cyber resilience and vulnerability management while speeding up response times
-
The complete SaaS backup buyer's guideWhitepaper Informing you about the realities of SaaS data protection and why an SaaS back up is essential
-
The 'cyber aSaaSin' manualWhitepaper Providing valuable insights to identify SaaS data enemies and win the battle against SaaS data threats
-
Best practices for Microsoft 365 business continuityWhitepaper Discover how to mitigate the effects of large-scale, high-cost data loss disasters
-
How to answer a tricky subject access request (SAR)Tutorials How do you prove a customer is who they say they are, and how much information should you provide?
