The Advocate General of the European Court has given its opinion on case C‑40/17 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW e.V., Facebook Ireland Limited, Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen.
The case concerns the following thumb case:
Fashion ID (‘the Defendant’)’ is an online retailer. It sells fashion items on its website. The Defendant embedded the ‘Like’ plug-in supplied by Facebook Ireland Limited (‘Facebook Ireland’)(4) in its website. As a result the so-called Facebook ‘Like’ button appears on the Defendant’s website.
The order for reference further explains how the (non-visible) part of the plug-in functions: when a visitor lands on the Defendant’s website on which the Facebook ‘Like’ button is placed, his browser automatically sends information concerning his IP address and browser string to Facebook Ireland. The transmission of this information occurs without it being necessary to actually click on the Facebook ‘Like’ button. It also seems to follow from the order for reference that when the Defendant’s website is visited, Facebook Ireland places different kinds of cookies (session, datr and fr cookies) on the user’s device.
Verbraucherzentrale NRW (‘the Applicant’), a consumer protection association, brought judicial proceedings against the Defendant before a Landgericht (District Court, Germany). The Applicant sought an order to force the Defendant to cease integrating the social plug-in ‘Like’ from Facebook on the grounds that the Defendant allegedly did not:
– ‘expressly and clearly explain the purpose of the collection and use of the data transmitted in that way to users of the internet page before the provider of the plug-in begins to access the user’s IP address and browser string, and/or
– obtain the consent of users of the internet page to access to their IP address and browser string by the plug-in provider and to the data usage, in each case prior to the access occurring, and/or
– inform users who have given their consent within the meaning of second head of claim that this can be revoked at any time with effect for the future, and/or
– inform that “If you are a user of a social network and do not wish that social network to collect data about you via our website and link these to your user data saved on the social network, you must log out of the social network before visiting our website”.’
The Applicant claimed that Facebook Inc. or Facebook Ireland saves the IP address and browser string and links them to a specific user (member or non-member). The Defendant’s argument in response is a lack of knowledge in this respect. Facebook Ireland argues that the IP address is converted to a generic IP address and is saved only in this form and that there is no allocation of the IP address and browser string to user accounts.
The Landgericht (District Court) ruled against the Defendant on the first three pleas. The Defendant appealed. A cross-appeal was lodged by the Applicant in respect of the fourth plea.
It is within that factual and legal context that the Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf) decided to refer the following questions to the Court:
‘(1) Do the rules in Articles 22, 23 and 24 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31) preclude national legislation which, in addition to the powers of intervention conferred on the data-protection authorities and the remedies available to the data subject, grants public-service associations the power to take action against the infringer in the event of an infringement in order to safeguard the interests of consumers?
If Question 1 is answered in the negative:
(2) In a case such as the present one, in which someone has embedded a programming code in his website which causes the user’s browser to request content from a third party and, to this end, transmits personal data to the third party, is the person embedding the content the “controller” within the meaning of Article 2(d) of [Directive 95/46] if that person is himself unable to influence this data- processing operation?
(3) If Question 2 is answered in the negative: Is Article 2(d) of [Directive 95/46] to be interpreted as meaning that it definitively regulates liability and responsibility in such a way that it precludes civil claims against a third party who, although not a “controller”, nonetheless creates the cause for the processing operation, without influencing it?
(4) Whose “legitimate interests”, in a situation such as the present one, are the decisive ones in the balancing of interests to be undertaken pursuant to Article 7(f) of [Directive 95/46]? Is it the interests in embedding third-party content or the interests of the third party?
(5) To whom must the consent to be declared under Articles 7(a) and 2(h) of [Directive 95/46] be made in a situation such as that in the present case?
(6) Does the duty to inform under Article 10 of [Directive 95/46] also apply in a situation such as that in the present case to the operator of the website who has embedded the content of a third party and thus creates the cause for the processing of personal data by the third party?
The Advocate’s opinion:
– Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data does not preclude national legislation which grants public-service associations standing to commence legal proceedings against the alleged infringer of data protection legislation in order to safeguard the interests of consumers.
– A person that has embedded a third-party plug-in in its website, which causes the collection and transmission of the user’s personal data (that third party having provided the plug-in), shall be considered to be a controller within the meaning of Article 2(d) of Directive 95/46. However, that controller’s (joint) responsibility is limited to those operations for which it effectively co-decides on the means and purposes of the processing of the personal data.
– For the purpose of the assessment of the possibility to process personal data under the conditions set out in Article 7(f) of Directive 95/46, the legitimate interests of both joint controllers at issue have to be taken into account and balanced against the rights of the data subjects.
– The consent of the data subject obtained under Article 7(a) of Directive 95/46 has to be given to a website operator which has embedded the content of a third party. Article 10 of Directive 95/46 shall be interpreted as meaning that the obligation to inform under that provision also applies to that website operator. The consent of the data subject under Article 7(a) of Directive 95/46 has to be given, and information within the meaning of Article 10 of the same directive provided before the data are collected and transferred. However, the extent of those obligations shall correspond with that operator’s joint responsibility for the collection and transmission of the personal data.