EU debates GDPR joint liability ruling for websites using social widgets
Buttons such as Facebook's 'Like' come under scrutiny after data collection court challenge
The European Court of Justice (CJEU) is currently debating whether to enforce shared data protection responsibilities on websites that embed data-collecting widgets such as Facebook 'like' buttons.
An embedded Facebook Like button, among other commonly implemented widgets, can gather data such as IP addresses and browser identification strings just by the user loading the web page. Facebook is already considered a data controller but the result of a fresh case could wrangle the hosting website into sharing data protection responsibilities under GDPR.
Advocate General (AG) Michal Bobek argued on Wednesday that hosting websites should be considered as joint data controllers with the companies that own widgets.
General Data Protection Regulation (GDPR) Data protection principles Facebook hack: Three million EU users affected by breach
He believes that both website and widget owner appear to voluntarily cause the collection and transmission of the data for the purpose of processing. Although not identical, he argues there is a commercial and advertising purpose and benefit for embedding a social widget.
Therefore, with respect to the collection and transmission stage of the data processing, the website acts as a controller and is jointly liable alongside the widget owner, which in this case is Facebook.
The case in question is one involving Fashion ID, a German online fashion retailer and Verbraucherzentrale NRW, a German consumer group which brought an injunction against the retailer in 2015. The consumer group claimed that by placing a Facebook Like button on its site, Fashion ID was in violation of the EU's Data Protection Directive (DPD) of 1995.
In a regional court in Dusseldorf, Fashion ID lost the original case in 2016 but it has since appealed, with Facebook's backing, to a German higher court. That court has now sought advice on key questions from the CJEU.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The case concerns EU's 1995 DPD and not GDPR, which superceded it earlier this year when it came into effect. However, GDPR was based on a number of elements of the DPD 1995, including a provision for data controllers and processors, and therefore any decision in this case is likely to influence future rulings under the new regulations.
What is known is that as a result of an ECJ ruling in June 2018, Article 26 of the GDPR states that Facebook fan page operators are jointly responsible for the data protection of its users and must clearly let members and non-members of Facebook who visit the site aware that the owner and Facebook are both responsible for that user's data.
These fan pages don't strictly pertain to celebrities, they can be for things like restaurants which don't have their own website but still want to have an online presence and interaction with its customers.
Reports claim that complaints against Facebook could rise following a year of issues relating to its privacy policies. Just this week, reports emerged about a data-harvesting SDK, as well as a suggestion of location data tracking even after turning location services off, and an eye-opening data sharing agreement between Facebook, Spotify and Netflix.
Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.