As early as the end of last year, I had reported that the Advocate General of the ECJ had recommended that the Court of Justice decide that a website operator, together with Facebook, would be liable for data breaches of like buttons(see this post).

As is so often the case, the ECJ has today endorsed this view.

In its judgment, the Court first of all makes it clear that the old Data Protection Directive does not preclude the fact that associations in order to safeguard consumer interests are allowed to defend against the alleged infringer of rules on the protection of personal data. bring an action.

The Court points out that the new General Data Protection Regulation now expressly provides for this possibility.

The Court then finds that a website operator does not appear to be liable for the data processing operations carried out by Facebook Ireland after the data was transmitted to it. At first sight, it seems impossible for the latter to decide on the purposes and means of those transactions.

On the other hand, the operator may be regarded as jointly responsible with Facebook Ireland for the operations of the collection of the data in question and their forwarding by transmission to Facebook Ireland, since (subject to the verification) can be assumed that the website and Facebook Ireland jointly decide on the purposes and means.

The reason for this is that the user of the Like button is given the opportunity to optimize his own advertising by making it more visible on the social network Facebook when a visitor clicks on the button.

In order to be able to benefit from that economic advantage, which consists of such improved advertising, the supplier at least tacitly consents to the
collection of personal data of visitors and their disclosure by
transmission. In doing so, these processing processes are carried out in the economic
interest of both the website operator and Facebook Ireland.

However, in the case in which the data subject has given his consent, the data subject must only be obtained for the transactions for which the operator is (co-)responsible, i.e. the collection and transmission of the data.