Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV

Fashion ID, an online retailer, embedded a Facebook ‘Like’ button into its website. As a result, when visitors accessed the Fashion ID website, their IP address and browser data were automatically transmitted to Facebook Ireland Ltd (‘Facebook Ireland’). This occurred irrespective of whether the visitor clicked the Like button, was a member of Facebook, or was aware of the data being transmitted. The Claimant, a consumer organisation, sought an injunction against Fashion ID to cease transmitting personal data in this fashion.

The Landgericht Düsseldorf (Regional Court) held that the Claimant had standing to bring proceedings and upheld its requests in part. Fashion ID (with Facebook Ireland intervening in support) appealed to the Oberlandesgericht Düsseldorf (Higher Regional Court), arguing that:

1. The Claimant did not have standing, as Articles 22 to 24 of Directive 95/46 (‘the Directive’) grant legal remedies only to data subjects and competent supervising authorities.
2. Fashion ID was not a controller within the meaning of Article 2(d) of the Directive, as it had no influence over the data transmitted or how Facebook Ireland ultimately used the data.

Oberlandesgericht Düsseldorf referred the proceedings to the CJEU under the preliminary ruling procedure.

1) Do Articles 22 to 24 of the Directive preclude national legislation granting public-service associations the power to represent a data subject in legal proceedings or commence legal proceedings of their own initiative?

2) If no, is the operator of a website (such as Fashion ID) that embeds a social plugin a controller within the meaning of Article 2(d) of the Directive, even if it is unable to influence the processing of the data transmitted?

3) Whose legitimate interests need to be considered pursuant to Article 7(f) of the Directive – the website operator’s or those of the provider of the social plugin?

4) Who needs to obtain the consent required by Article 2(h) and 7(a) of the Directive and provide the information to the data subject specified by Article 10 of the Directive – the website operator or the provider of the social plugin?

1) No. The Directive does not oblige or expressly empower Member States to provide in their national law that an association can represent a data subject in legal proceedings or commence legal proceedings of its own initiative against the alleged infringer. However, the Directive does not preclude this.

Although the Directive amounts to a harmonisation of national legislation on the protection of personal data, Member States have a margin of discretion in its implementation. For example, Article 24 requires Member States to adopt “suitable measures” to ensure the full implementation of the provisions, but does not define such measures. It seems that a provision making it possible for a consumer-protection association to commence legal proceedings against an alleged infringer may constitute a suitable measure that contributes to the realisation of the objectives of the Directive. Namely: (1) to ensure the effective and complete protection of the fundamental rights and freedoms of natural persons with respect to personal data, and (2) to ensure a high level of protection in the European Union through national laws.

 2) Yes, although only in relation to operations in respect of which the website operator actually determines the purposes and means of processing.

In the present case, subject to investigations that the referring court would perform, it appeared that Fashion ID and Facebook Ireland determined jointly the purposes and means of the operations involving the collection and transmission of the visitors’ personal data. Relevantly:

1. Fashion ID was fully aware that the ‘Like’ button served as a tool for the collection and disclosure of the personal data. It exercised “decisive influence” over the collection and transmission of the personal data, which could not have occurred without Fashion ID installing the plugin;
2. Fashion ID consented (at least implicitly) to the collection and disclosure of visitors’ personal data in order to optimise publicity for its own goods by increasing their visibility on Facebook. Therefore, the processing was performed in the economic interests of both Fashion ID and Facebook Ireland.

However, Fashion ID could not be considered a controller in respect of the subsequent operations involving data transmitted to Facebook Ireland, which it had no control over.

3) Both. In light of the finding that a website operator can be considered to be a controller jointly with the social network, each of them needed to pursue a legitimate interest within the meaning of Article 7(f) in order for those operations to be justified.

4) Consent pursuant to Articles 2(h) and 7(a) of the Directive must be given prior to the collection and disclosure of the data subject’s data. In such circumstances, it is for the website operator to obtain consent, since the visitor’s consultation of their website triggers the processing of the data.

Similarly, the controller must provide the information required by Article 10 of the Directive immediately (that is, when the data is collected). It follows that the duty to inform is incumbent on the website operator, but only in connection with the portion of operations for which they were a controller.

The significance of the CJEU’s decision on representative proceedings is now less pertinent in light of Article 80(2) of General Data Protection Regulation 2016/679 (‘GDPR’), which expressly authorises Member States to allow consumer-protection organisations to bring or defend legal proceedings. In its decision, the CJEU noted that Article 80(2) confirmed that its interpretation of the Directive reflected the current will of the EU legislature.

The outcome of these proceedings clearly illustrates the CJEU’s statement in Jehovan todistajat C-25/17 that where a controller determines the means and purposes of processing “jointly” with others, this does not necessarily imply equal responsibility. Operators can be involved at different stages of the process and to different degrees. Businesses should bear this decision in mind when integrating plugins into their websites, and if they decide to proceed, consider how responsibility for compliance with the Regulation should be apportioned. This requirement has been formalised by Article 26 of the GDPR, which requires joint controllers to enter a transparent arrangement that sets out their responsibilities for compliance with obligations under the Regulation.

Judgment