CJEU Judgment in the Fashion ID Case: The Role as Controller Under EU Data Protection Law of the Website Operator that Features a Facebook ‘Like’ Button

On July 29, 2019, the Court of Justice of the European Union (“CJEU”) issued its judgment in Case C-40/17 (Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV). This is a landmark decision regarding the assessment of who has the responsibility for complying with data protection legislation in the context of embedding third-party features that regularly takes place on websites.

The CJEU adopted a broad view of the situations in which a “joint controllership” can arise. It held that, under EU data protection legislation, the operator of a website featuring the Facebook ‘Like’ button (a social plugin that causes the transmission to Facebook of website users’ personal data) can qualify as a controller, jointly with Facebook. Consequently, the website operator is directly responsible for complying with legal obligations in this respect, including by informing its users that their personal data will be transferred to Facebook.

Click here to continue reading on the Cleary Cybersecurity and Privacy Watch blog.