Business

Policy

It's official: Deploying Facebook's 'Like' button on your website makes you a joint data slurper

Using widgets probably not worth the GDPR minefield

88 Got Tips?

Organisations that deploy Facebook's ubiquitous "Like" button on their websites risk falling foul of the General Data Protection Regulation following a landmark ruling by the European Court of Justice.

The EU's highest court has decided that website owners can be held liable for data collection when using the so-called "social sharing" widgets.

The ruling (PDF) states that employing such widgets would make the organisation a joint data controller, along with Facebook – and judging by its recent record, you don't want to be anywhere near Zuckerberg's antisocial network when privacy regulators come a-calling.

'Purposes of data processing'

According to the court, website owners "must provide, at the time of their collection, certain information to those visitors such as, for example, its identity and the purposes of the [data] processing".

By extension, the ECJ's decision also applies to services like Twitter and LinkedIn.

Facebook's "Like" is far from an innocent expression of affection for a brand or a message: its primary purpose is to track individuals across websites, and permit data collection even when they are not explicitly using any of Facebook's products.

The case that brought social sharing widgets to the attention of the ECJ involved German fashion retailer Fashion ID, which placed Facebook's big brother button on its website and was subsequently sued by consumer rights group Verbraucherzentrale NRW.

The org claimed the fact that Fashion ID's website users were automatically surrendering their data – including IP address, browser identification string and a shedload of cookies – contravened the EU Data Protection Directive (DPR) of 1995, which has since been superseded by much stricter General Data Protection Regulation (GDPR).

In 2016, Fashion ID lost in a Dusseldorf regional court, and appealed to a higher German court, with Facebook joining in the appeal. The case was then escalated to the ECJ, with the outcome closely watched by law and privacy experts.

On Monday, the ECJ ruled that Fashion ID could be considered a joint data controller "in respect of the collection and transmission to Facebook of the personal data of visitors to its website".

The court added that it was not, in principle, "a controller in respect of the subsequent processing of those data carried out by Facebook alone".

'Consent'

"Thus, with regard to the case in which the data subject has given his or her consent, the Court holds that the operator of a website such as Fashion ID must obtain that prior consent (solely) in respect of operations for which it is the (joint) controller, namely the collection and transmission of the data," the ECJ said.

The concept of "data controller" – the organisation responsible for deciding how the information collected online will be used – is a central tenet of both DPR and GDPR. The controller has more responsibilities than the data processor, who cannot change the purpose or use of the particular dataset. It is the controller, not the processor, who would be held accountable for any GDPR sins.

In its response to the ruling, Facebook decided to pretend that the "Like" button was just an average website plugin: "We welcome the clarity that today's decision brings to both websites and providers of plugins and similar tools," Jack Gilbert, Associate General Counsel at Facebook, said in a statement.

"We are carefully reviewing the court's decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law."

Nothing Facebook does seems to hurt its sales: the company has just reported second quarter results, growing its revenue 28 per cent year-on-year to reach $16.6bn. ®

Sign up to our NewsletterGet IT in your inbox daily

88 Comments

Keep Reading

Cache me if you can: HDD PC sales collapse in Europe as shoppers say yes siree to SSD

The days of spinning rust in lappies looks numbered and deskops will be next, says analyst

Total Eclipse to depart: Open-source software foundation is hopping the pond to Europe

Bye-bye US, bonjour Brussels

Penny smart and dollar stupid: IT jobs slashed in US, UK, Europe to cut costs – just when we need staff the most

Revenue shortfall fears have led a third of polled businesses to shed workers

Europe mulls five year ban on facial recognition in public... with loopholes for security and research

Euro Commission also wants to loosen purse strings for AI investment while tightening reins

Oracle staffers in Europe weather cloudy job cuts: As many as 1,300 workers face chop after sales slide

Database giant needs 'adapt its spending to its revenue situation'

Wanna force granny to take down that family photo from the internet? No problem. Europe's GDPR to the rescue

Grandchild Digital Picture Removal

Sharp gobbles NEC as Japan's display giants team up to take on Europe and North America

Terms not revealed, but hopes are high that consolidation will be a good thing

Microsoft CEO Satya Nadella talks hardware supply chains and elasticity: 'Bigger issue' is what happens around US and Europe's 'demand side'

Staying upright as more restrictions slapped on its clouds

Europe to straggle Japan, China, US and Korea in 5G adoption stakes

Only 18% of mobile users across world will have access to 5G in next 5 years

AMD takes a bite out of Intel's PC market share across Europe amid microprocessor shortages, rising Ryzen

Mmmm, these scraps are pretty darn meaty

Tech Resources

Building an Incident Response Plan

A well-crafted IR plan will help your organization perform at its best by preparing for the worst.

The Definitive Guide to Sharing Threat Intelligence

Sharing threat intelligence is gradually becoming an accepted component in information security defense but there are still ways we can gain more.

Unlocking the Cloud-Native Data Layer

Being able to exceed customer expectations is essential to a successful business.

SANS Institute: Cloud Security Survey Results

How do you close visibility gaps, integrate conflicting datasets from different providers and adjust your current incident response strategies to respond to cloud-specific threats?