Facebook’s “Like” button makes third-party websites responsible for processing people’s data under the European Union’s privacy rules, according to the EU’s top court.
The EU Court of Justice weighed in on a dispute after an online fashion retailer was accused of violating EU law by embedding a Like plugin, which a local consumer association said allowed the social media company to collect data on the site’s users.
The owner of a website can be held jointly responsible for “the collection and transmission to Facebook of the personal data of visitors to its website,” the Luxembourg-based court said in a ruling on Monday. “By contrast, that operator is not, in principle, a controller in respect of the subsequent processing of those data carried out by Facebook alone.” The decision can’t be appealed.
The case has been closely watched by privacy lawyers who say many companies are unaware of the potential risks of being held jointly liable with tech giants such as Facebook for data they share with them by embedding a social plugin, such as Facebook’s iconic ‘Like’ button on their website. Belgium’s data protection regulator said last year a ruling making websites jointly liable could have “serious repercussions” for website operators.
“Website plugins are common and important features of the modern internet,” Facebook’s associate general counsel Jack Gilbert, said in a statement. “We are carefully reviewing the court’s decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law.”
The case dates back to before the EU enacted much stricter privacy rules with its General Data Protection Regulation, or GDPR. Still, the concept of two companies being seen as joint controllers for data protection reasons, remains relevant in the new rules, said Tom De Cordier, a technology and data protection lawyer at CMS DeBacker in Brussels.
He said there’s a high likelihood that big organisations use such technology that tracks users’ data in some form on their websites.
“The impact will be that if something goes wrong on the data collection side, you may be on the hook as much as Facebook is,” he said.
“If the court takes a fairly broad interpretation of the concept of joint controllership, the risk exposure for companies becomes much bigger,” said De Cordier by phone before the ruling was known. “The level of awareness of this risk is still very low.”