On 29 July 2019 the European Court of Justice released a decision on the liability of website operators for the transfer of personal information through social media plugins, such as the Facebook “Like” button. The Court held that website operators who embedded such plugins would be jointly responsible for the collection and transmission to Facebook of personal information of visitors to its website.
Social media plugins such as Facebook’s “Like” button are a common feature of online retail websites, as companies use them to promote their products. By embedding social media plugins the retailer makes their goods more visible on Facebook and other linked social media sites, thus, optimising the publicity of their goods.
Summary of the ECJ Decision
The decision of the European Court of Justice (available here) concerned a German online retailer, who was accused of violating European Union law by embedding a Facebook ‘Like’ plugin in its website. By embedding the plugin into a website, user information, such as user IP addresses, was forwarded to Facebook. This occurred regardless of whether the user had a Facebook account, or even clicked the corresponding button. Until the decision was released, it was unclear the extent to which the website operator would be responsible for the data transfer, given the operator would have no control over Facebook’s subsequent use of the information.
The Court considered that by embedding such a plugin on its website, the retailer sought to benefit from the commercial advantage of the increased publicity of its goods. The data processing activities were therefore in the economic interests of both the retailer and Facebook, which could use the data for its own commercial purposes in consideration for the benefit to the retailer.
Accordingly, the Court held that a website operator that embeds a social plugin on its website, causing information to be transmitted to the provider of the plugin, will be considered a controller in respect of that information, and jointly liable in respect of that data transfer. The decision clarifies that website operators will be jointly responsible for complying with relevant laws, in particular around the lawful processing of information, obtaining consent and notifying users of data processing.
Although the decision was based on the former 1995 European Union Data Protection Directive, which has now been replaced by the 2016 General Data Protection Regulation (GDPR) (in force since May 2018), the considerations are likely to be the same under GDPR.
New Zealand position
While New Zealand’s privacy legislation does not go so far as the data protection laws of the European Union, this case serves as a reminder of the growing complexities around data protection and privacy.
Under New Zealand law, it is a requirement to notify individuals at the point of collection that certain information is being collected, the purpose for which it is being collected and its intended recipients. Accordingly, website operators in New Zealand should be sure to cover all purposes for collection in their privacy policies, including reference to third party social media plugins and what information will be disclosed to the providers.
From a best practice perspective, we recommend that website operators ensure plugins are integrated in such a way that communication with the social media provider only takes place when the button is actually clicked or the user has otherwise indicated consent to information being provided.
Business Law team
Gerard Dale, Claire Evans, Graeme Crombie, Evelyn Jones, Anna Ryan, Joelle Grace, Peter Orpin, Ellen Sewell, Matt Tolan, Carlo Wan, Kristina Sutherland, Jacob Nutt, Whitney Moore, Alex Stone, Ben Cooper
Also in this edition:
Business Law Newsletter:
Click here for other Corporate Law articles.