Business

Policy

It's official: Deploying Facebook's 'Like' button on your website makes you a joint data slurper

Using widgets probably not worth the GDPR minefield


Organisations that deploy Facebook's ubiquitous "Like" button on their websites risk falling foul of the General Data Protection Regulation following a landmark ruling by the European Court of Justice.

The EU's highest court has decided that website owners can be held liable for data collection when using the so-called "social sharing" widgets.

The ruling (PDF) states that employing such widgets would make the organisation a joint data controller, along with Facebook – and judging by its recent record, you don't want to be anywhere near Zuckerberg's antisocial network when privacy regulators come a-calling.

'Purposes of data processing'

According to the court, website owners "must provide, at the time of their collection, certain information to those visitors such as, for example, its identity and the purposes of the [data] processing".

By extension, the ECJ's decision also applies to services like Twitter and LinkedIn.

Facebook's "Like" is far from an innocent expression of affection for a brand or a message: its primary purpose is to track individuals across websites, and permit data collection even when they are not explicitly using any of Facebook's products.

The case that brought social sharing widgets to the attention of the ECJ involved German fashion retailer Fashion ID, which placed Facebook's big brother button on its website and was subsequently sued by consumer rights group Verbraucherzentrale NRW.

The org claimed the fact that Fashion ID's website users were automatically surrendering their data – including IP address, browser identification string and a shedload of cookies – contravened the EU Data Protection Directive (DPR) of 1995, which has since been superseded by much stricter General Data Protection Regulation (GDPR).

In 2016, Fashion ID lost in a Dusseldorf regional court, and appealed to a higher German court, with Facebook joining in the appeal. The case was then escalated to the ECJ, with the outcome closely watched by law and privacy experts.

On Monday, the ECJ ruled that Fashion ID could be considered a joint data controller "in respect of the collection and transmission to Facebook of the personal data of visitors to its website".

The court added that it was not, in principle, "a controller in respect of the subsequent processing of those data carried out by Facebook alone".

'Consent'

"Thus, with regard to the case in which the data subject has given his or her consent, the Court holds that the operator of a website such as Fashion ID must obtain that prior consent (solely) in respect of operations for which it is the (joint) controller, namely the collection and transmission of the data," the ECJ said.

The concept of "data controller" – the organisation responsible for deciding how the information collected online will be used – is a central tenet of both DPR and GDPR. The controller has more responsibilities than the data processor, who cannot change the purpose or use of the particular dataset. It is the controller, not the processor, who would be held accountable for any GDPR sins.

In its response to the ruling, Facebook decided to pretend that the "Like" button was just an average website plugin: "We welcome the clarity that today's decision brings to both websites and providers of plugins and similar tools," Jack Gilbert, Associate General Counsel at Facebook, said in a statement.

"We are carefully reviewing the court's decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law."

Nothing Facebook does seems to hurt its sales: the company has just reported second quarter results, growing its revenue 28 per cent year-on-year to reach $16.6bn. ®

Send us news
88 Comments
Get our Weekly newsletter

Keep Reading

Crash, bang, wallop: External storage systems still sliding in Europe as customers' budgets stay frozen

Supply chain woes also fingered after second quarter of pain in Europe

Beloved US telco Verizon puts arm around Nokia, Microsoft, preps enterprise 5G for Europe, APAC

Lucky old us. Plus: Azure Edge biz service software bundled in

Vivo Las Blowers: Chinese smartphone brand hops into Europe's crowded mobe market

Well, there's a Huawei-shaped opening thanks to Mr Trump and co

Ink tanks park themselves all over the lawns of Western Europe as orders flood in

Get off my grass! ... And onto my WFH desktop

HPE bags $160m to build 550-PFLOPS super for Europe out of tomorrow's AMD Epyc processors, graphics chips

Finns are going Cray cray

Europe clamps down on cybersurveillance exports, pushes human rights focus

No selling to evil folks albeit with a few big loopholes for some

Net neutrality lives... in Europe, anyway: Top court supports open internet rules, snubs telcos and ISPs

It only took five years

ICANN begs Europe: Please fill in the blanks on this half-assed GDPR-compliant Whois we came up with

We can’t get our community to agree, perhaps you’ll do our job for us?

Nvidia signs up for an Italian Job: Building for Europe the 'world's fastest AI supercomputer' by 2022

You were only supposed to blow the bloody bytes off!

MediaTek's Snapdragon-7-bothering 5G eight-core Arm chip for modest mobes jets into Europe this month

Apropos of nothing, what's French for 'Get me the hell away from Nvidia'?

Tech Resources

Navigating the New Era of Cloud Computing

Hear from Steve Sibley, VP of Offering Management for IBM Power Systems about how IBM Power Systems can enable hybrid cloud environments that support “build once, deploy anywhere” options.

Simplifying Hybrid Cloud Flash Storage

According to industry analysts, a critical element for secure hybrid multicloud environments is the storage infrastructure.

IBM and Nvidia® Solutions Power Insights with the New AI

IBM is well-positioned to help organizations incorporate high-performance solutions for AI into the enterprise landscape.

The Ransomware Hunt that Unearthed a Historic Banking Trojan

The Sophos Managed Threat Response (MTR) team provides customers with swift, human-led responses to the nastiest threats and most sophisticated adversaries.