The Court of Justice of the European Union recently ruled, in Case C-40/14 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV, that a website operator that features “Like" social-media plugin from Facebook likely qualifies as joint-controller with Facebook for its website visitors' personal data collection and transmission to Facebook.
The CJEU recalled that in order to qualify as “data controller", it is sufficient for a natural or legal person to exert influence over the processing of personal data for its own purposes even though such involvement only relates to one part of the processing. Different operators can thus be involved to different degrees, and their respective liabilities will then have to be assessed on a case-by-case basis.
The Advocate General stated in its opinion that an entity can qualify as controller only in relation to the operations of personal data processing for which it jointly determines the purposes and means, but not for any other parts of the overall chain of processing.
In this case, the CJEU stated that Fashion ID “appears to have made it possible for Facebook to obtain personal data of visitors to its website" as soon as that visitor accesses the website and irrespective of whether he or she is a Facebook user or whether he or she has even clicked the “Like" button. Hence, the CJEU concluded that in relation to this collection and transmission of the visitors' personal data to Facebook, both Facebook and Fashion ID qualify as joint-controllers because they determine together the means and origin of the processing operations. Indeed, by adding on this “Like" button to its website, Fashion ID optimises the exposure of its goods by increasing their visibility on Facebook.
All these conclusions are still formulated in a relatively hypothetical form by the CJEU since it is now up to the national referring Court to conduct the necessary investigations and render a final decision on the merits.