The possibility to include Facebook Like as a plugin, for example, has been controversial for a long time. This is especially true since Facebook also tracks data from people who are not even members of the network.

In some cases, the only point of contention was whether users had to be made aware of this fact, and if so, in what way. Now the Advocate General of the ECJ has also expressed his opinion in a current legal dispute. The ECJ usually follows the opinion of the Advocate General. The latter’s opinion makes the use of the Facebook Like button in any form a major warning risk.

According to Advocate General Bobek, the operator of a website on which a third-party plugin such as the Facebook “Like” button is embedded, which leads to the collection and transmission of the user’s personal data, is jointly responsible for this phase of data processing. With regard to these data processing operations, the website operator must provide users with the information they need to obtain at least and, where necessary, obtain their consent before collecting and transmitting data.

Thus, the so-called 2-click solution, which was propagated for a long time by the Heise publishing house, for example, should also be problematic and a violation of the GDPR. With the 2-click solution, exactly the same data is transferred to Facebook as with the normal Like button. Just one click later.

This should now no longer be sufficient and therefore not permissible.

Bobek recommended that the ECJ rule that the Directive does not preclude a national rule that grants non-profit associations the power to take legal action against the alleged infringer of data protection law in order to protect the interests of consumers.

Furthermore, the Advocate General proposes to rule that, under the Data Protection Directive, the operator of a website that has integrated a plugin provided by a third party (such as the Facebook “Like” button) into its website, which triggers the collection and transmission of the user’s personal data, is to be regarded as a joint controller
together with that third party (in this case Facebook Ireland).

However, this (joint) responsibility of the controller should be limited to the processing operations for which the controller actually contributes to the decision on the means and purposes of the processing of the personal data.

So if you want to eliminate such responsibility, probably only such Like buttons are possible, which are simple (locally hosted) graphics with a link and whose appearance is simply changed with CSS.

The same should also apply, at the latest as of now, to similar solutions from other providers (e.g. for tracking) and thus of course also to the Facebook Conversion Pixel. All data may only be transferred with the express consent of the user.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: Button Consumer Data protection Law Facebook Information KI Privacy Test