We are sometimes more responsible than we think... or than we want to be.

Legal Watch – September 2019.

This is the case when you install a simple plug-in on your website, even if you do not have access to the data collected through this means.

A recent ruling by the Court of Justice of the European Union, known as "Fashion ID", confirms this observation by clarifying the responsibility of website managers who insert a Facebook "like" icon on their page.

The insertion of this simple plug-in can therefore have the consequence of making the site manager jointly responsible for processing with the social network which collects this data.

From a technical point of view, the simple insertion of a plug-in on a web page allows the automatic communication of the connection data of visitors to this page to the social network concerned, whether or not the visitors click on the plug-in icon. In this case, the data of visitors to the Fashion ID website, a German online fashion clothing retailer, was thus systematically transmitted to Facebook. This is what actually happens for many websites today, whether online sales, news sites, or blogs. And the reasoning aimed at Facebook in this case can be extended to any social network or other entity using the same technology.

The Court of Justice clarified that the fact that the site manager does not have access to the data thus transmitted does not diminish its liability. The fact that it determines, jointly with Facebook, the purposes and means of the processing remains the decisive factor. The Court infers the possible joint liability of the site and Facebook from the mutual economic benefits they derive from this cooperation: for Facebook, the enrichment of its database, and for the site manager, an optimization of advertising for its products on the Facebook social network as soon as a visitor clicks on the "like" icon.

The Court clarifies that legal responsibilities and obligations vary depending on the different aspects of the processing: in this case, Fashion ID cannot be held responsible for how Facebook subsequently processes the data. Facebook must also provide a specific legal basis for this processing. However, the website operator is required to inform and obtain the consent of its visitors separately regarding the collection and transmission of this data to the social network.

Several lessons can be learned from this important ruling. It is therefore advisable to:

• Systematically check the conditions of use of plug-ins on your website, and the possible conditions of transmission of data to third parties,
• Check liability clauses in contracts with these third parties;
• Inform visitors specifically about this collection and obtain their separate consent.

These precautions are all the more relevant since the CNIL recently clarified the strict conditions for obtaining consent with regard to online advertising targeting, and announced that it would focus its monitoring activities in 2019 on issues of distribution of responsibilities between the different parties processing personal data. 

These issues are also being addressed at the European level. The EDPB, which brings together the European Union's data protection authorities (CNILs), has initiated discussions involving various sectoral organizations to update the supervisory authorities' reference opinion on the identification and role of controllers, joint controllers, and processors.

And also:

• in Europe:

Brexit:

What would be the conditions for data transfers to the United Kingdom if the country were to leave the European Union without a deal? The EDPB published a note in early 2019 detailing the conditions and the various applicable legal bases. The British data protection authority also answers many questions on its official website.

Biometrics:

The Swedish Data Protection Authority issued its first sanction under the GDPR on August 21. A €20,000 fine was imposed on a school for implementing a facial recognition system for students in violation of several GDPR principles: invalid consent, sensitive biometric data, lack of prior impact assessment, and failure to consult the data protection authority.

Cloud and data protection:

The prospect of a European cloud with harmonized rules is getting closer. On August 29, the first meeting of public and private sector stakeholders, at European and international level, took place in The Hague.

• in the world:

Electronic evidence:

The conditions under which judicial authorities can access electronic evidence ('e-evidence') held by companies are the subject of developments in Europe and internationally. The objective is to harmonize these rules in Europe but also to reach an agreement with the United States on the conditions of access to this data, as part of the fight against crime. Under the American "Cloud Act," the United States has had access to the data of American companies based in Europe since March 2018. The objective is to reach an agreement on these conditions of access on both sides of the Atlantic, in compliance with data protection rules.

ISO standard:

The new ISO/IEC/27701 standard was published in early August. It is an extension of ISO/IEC 27001 and ISO/IEC 27002 to cover privacy management, and also takes into account the requirements of the GDPR.

1 The judgment applies Directive 95/46/EC, since repealed by Regulation (EU) 2016/679 or GDPR. The provisions concerning (co)responsibility have, however, remained identical in the new Regulation.