With Panopticon having been prorogued for much of the summer, we didn’t get round to a timely blog post on the CJEU’s judgment from the end of July in Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV (Case C-40/17). In case you were likewise lounging around Rees-Mogg style and failed to keep up with data protection judgments, here is a brief summary to help you disguise that from your boss or clients.
Fashion ID is still part of the tail of ‘old’ data protection cases on the CJEU’s list, i.e. it is a case under the Directive rather than the GDPR. That said, its principles are likely to apply equally under the GDPR. Those principles will come as no surprise to anyone who has been following comparable cases over the last couple of years (in particular, Fan pages and the Jehovah’s Witness case).
The case concerned an online retailer’s embedding of a social plugin, a Facebook ‘like’ button. This meant that Facebook received certain personal data (IP address and certain browser data) about visitors to Fashion ID’s website, regardless of whether or not the visitor had a Facebook account, and regardless of whether he/she clicked on the Facebook Like button.
The first issue of interest to us was whether Fashion ID was a controller for that processing, i.e. the transmission of that personal data to Facebook via the embedded plugin. In keeping with recent case law, the answer was clearly yes (or more accurately: Fashion ID can be a controller; the actual decision is for the referring court). By embedding this plugin, Fashion ID “exerts a decisive influence over the collection and transmission of the personal data of visitors to that website to the provider of that plugin, Facebook Ireland”. And Fashion ID does this to optimise publicity for its goods, i.e. for commercial advantage. So it can suitably be characterised as a controller.
The second point to note is that both Facebook and Fashion ID were controllers here. So, where this transmission of data to Facebook is based on legitimate interests, both of those controllers needed to have the requisite interests.
Thirdly, it is by now well-established that, where there is more than one controller, they need not necessarily have equal responsibilities. “On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, with the result that the level of liability of each of them must be assessed with regard to all the relevant circumstances of the particular case”. Here, Fashion ID was not a controller for processing operations that preceded or were subsequent to the act of transmission to Facebook. It was only a controller for the transmission itself. So, to the extent it needed consent, that consent was required for that processing operation – and its transparency obligations were likewise confined.
So, as I say, hardly breaking news here: an early summer judgment, and very familiar principles. But the case is yet another illustration of this subtle and often difficult aspect of data protection law: how to calibrate data protection duties according to the processing operations for which a controller bears responsibility?
Robin Hopkins @hopkinsrobin