Yesterday, the CJEU published its judgment in Fashion ID, a case concerning mainly the notion of "controller" under EU data protection law.
The facts of the case are relatively simple: Fashion ID had placed a "like" button on its website which was connected to Facebook. What Fashion ID's customers may not realise is that - even if they did not use it - the button's presence meant that information concerning them was being transmitted to Facebook. In the proceedings it was uncontested that this information qualified as personal data.
Verbraucherzentrale NRW, a consumer association, brought an injunction against Fashion ID demanding that it abandon such practice. The question whether Fashion ID has any obligations in connection with the data processing - including the duty to inform consumers that their data are being collected and/or require their consent - depends on whether the website is to be considered a data controller.
The referring court doubted whether this is the case since the website operator has no control over the processing of the data transmitted to the plugin provider (para 37).
The Court, in essence, answered that the operator of the website acts as a controller, and is thus responsible for informing the consumer or collecting their consent, insofar as the collection of information and transmission to Facebook is concerned. In particular concerning the collection of the user's consent, the court highlighted that it would not be in line with efficient and timely protection of the subject's rights if the consent would be given only to the second controller, which is involved at a later stage (para 102). Even more strongly, when a customer is not a Facebook user, their data will be processed by the social media operator without them having any direct connection to the latter- which makes the responsibility of the other provider all the greater (para 83).
However, the website operator is not responsible vis à vis the data subjects for any other uses that Facebook itself will make of the data, nor for collecting their consent in that respect (para 102).
While the website has no control on the use of the transmitted data, the purpose of such collection is in part related to the website's benefit as it allows better promotion of its products (para 77-81).
As concerns the collection of data without the subject's consent - ie data that is necessary for the pursuit of a legitimate interest - the court importantly clarified that where both the website and the provider of the social plugin are controllers, they must both be pursuing a legitimate interest for the ground of processing to apply (para 96).
The decision interprets relevant provisions in the "old" Data pProtection directive, which has meanwhile been replaced by the GDPR - but the concepts that it deals with have been kept in the Regulation, so the decision can be transposed to the new rules.
Quite unsurprisingly, the Court rejected Fashion ID's claim that consumer associations would not be entitled to bring any claims under data protection rules - while article 80(2) of the GDPR quite
famously invites MS to set collective enforcement mechanisms, nothing in the previous directive, which only contained general indications on enforcement, can be seen to stand in the way of Member States allowing consumer associations to bring such claims (see in particular paras 57-62).
The Court seems to be aware of the potentially high-profile nature of this case and has accompanied the publication of its decision with a press release.