Website operators are liable for data processing of like buttons

At the end of last year, I reported that the Advocate General of the ECJ had recommended that the ECJ decide that a website operator would be liable together with Facebook for data protection violations of Like buttons(see this post).

As is so often the case, the ECJ has today endorsed this view.

In its judgment, the Court first of all makes it clear that the old Data Protection Directive does not preclude the fact that associations in order to safeguard consumer interests are allowed to defend against the alleged infringer of rules on the protection of personal data. bring an action.

The Court points out that the new General Data Protection Regulation now expressly provides for this possibility.

The Court then finds that a website operator does not appear to be liable for the data processing operations carried out by Facebook Ireland after the data was transmitted to it. At first sight, it seems impossible for the latter to decide on the purposes and means of those transactions.

On the other hand, the operator may be regarded as jointly responsible with Facebook Ireland for the operations of the collection of the data in question and their forwarding by transmission to Facebook Ireland, since (subject to the verification) can be assumed that the website and Facebook Ireland jointly decide on the purposes and means.

The reason for this is that the user of the Like button is given the opportunity to optimize his own advertising by making it more visible on the social network Facebook when a visitor clicks on the button.

In order to be able to benefit from this economic advantage, which consists of such improved advertising, the provider at least tacitly consents to the
collection of personal data of visitors and their disclosure through
transmission. These processing operations are carried out in the economic
interest of both the website operator and Facebook Ireland.

However, in the case in which the data subject has given his consent, the data subject must only be obtained for the transactions for which the operator is (co-)responsible, i.e. the collection and transmission of the data.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.