Europe: Liability of the operator of a website for the Facebook “Like Button”

Background
The European Court of Justice (ECJ) recently ruled on the long-discussed question of whether and how website operators can integrate the Facebook Like button (so-called “social plug-in”) in accordance with data protection requirements.

Th ECJ’s investigation results from a legal dispute between the Consumer Association of North Rhine-Westphalia and a subsidiary of Peek & Cloppenburg KG.

The retail chain had included the Like button on its website. This resulted in the personal data of the visitor being transferred to Facebook when the website was accessed. The data transfer took place regardless of whether the visitor was aware of it, the Like button was clicked or the visitor was a Facebook member at all.

Facebook, on the other hand, was able to track the visitor's behaviour and create profiles through data transfer. This allows internet content to be displayed to visitors that is specifically tailored to their interests.

The consumer association filed a complaint against this. According to the association, the user’s consent is required for the data transfer to Facebook; in addition, the user must be sufficiently informed about the data transfer. Otherwise the data transfer is unlawful.

Decision of the ECJ
If the website operator includes the Like button on its website, it is responsible for the collection and transmission of the visitor’s data to Facebook. In the future, the website operator must expressly inform the visitor about the data transfer. This does, of course, not apply to the data processing by Facebook itself.

The ECJ left unanswered whether the visitor’s consent is required for the data transfer or whether (still) a weighing of interests is sufficient. This will now be decided by Düsseldorf Higher Regional Court. In any case, it is clear that the processing of visitors’ personal data requires concrete justification.

Effects in practice
One can assume that the decision for similar plug-ins (from Google to Twitter) will have a corresponding role model effect.

As responsible officers, website operators with social plug-ins must expressly give notification in the future that personal data will be collected and transmitted to the provider of the social plug-in.

It is still unclear whether consent is required for the processing of the data when integrating a social plug-in or whether a weighing of interests is sufficient. What is certain, however, is that the need to grant consent leads to new pop-up windows on the websites.

Author: Tanja Schlüter