Joint Controllership or the Risks of using Website Plugins

Companies that engage adtech services either to sell their products to or to collect information on Europeans may be considered joint controllers according to the finding of the European Court of Justice (“ECJ”) in the case of Fashion ID GmbH &Co.KG v. Verbraucherzentrale NRW eV (“Fashion ID”) – a finding that creates compliance obligations.

Danielle Miller Olofsson has authored this article.

In this case, Fashion ID GmbH, an online fashion retailer, embedded on its website Facebook’s “Like” social plugin. Personal data belonging to visitors to the Fashion ID website was immediately transmitted to Facebook Ireland without the visitors: i) being aware, ii) having clicked the “Like” button, or iii) having a Facebook account. Although Fashion ID GmbH argued that it could not control what data the browser transmitted or what Facebook did with the data, it was nevertheless held to be a “controller” for the purposes of European data protection legislation. The court held that: “the operator of a website [...] that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor can be considered to be a controller”.

The ECJ specifies, however, that the function of controller only applies with respect to the information over which the company exercises some control – that is to say the information its website processes up until the point it transmits it to the adtech provider’s browser.

Practically speaking, this means that organisations using the marketing services of adtech providers such as Google, Amazon or Facebook as well as numerous others, may in fact be deemed joint controllers for the purposes of the European General Data Protection Regulation (“GDPR”) and, as such, obliged to enter into a joint controller agreement with these providers. This agreement requires both controllers to set their respective data processing responsibilities, especially as they pertain to the purpose and means of collection, as well as their respective notification obligations as per articles 13 and 14 of the GDPR. It should be recalled that controllers, by definition, are also required to:

• process the information lawfully which in most cases means acquiring specific and explicit consent at the time of processing (i.e. prior to transferring the information to the visitor’s browser);
• inform the data subject clearly of the fact that its information may be transferred to a third party and of the uses that could be made of it;
• notify affected data subjects of a breach within 72 hours of becoming aware of it;
• ensure that the information that might be transmitted is protected by adequate safeguards; and
• in the event the third party site is not located in the European Union, ensuring that appropriate safeguards are in place (adequacy, privacy shield, biding corporate rules, codes of conduct, etc.) so that the transfer is not in violation of the GDPR.

In light of the Fashion ID decision, then, website owners using social plugins to collect information on their clientele should consider:

• immediately updating their privacy notices to reflect the requirements of the decision especially at they relate to consent and full disclosure; and
• drafting a model joint-controllership agreement that clearly delineates the scope of their responsibilities.

BCF’s Data Protection Group would be more than happy to assist organisations review their relationships with marketing service providers and implement measures to comply with their new role in light of the Fashion ID decision.