How CJEU’s Fashion ID ruling stripped sites of the ‘like’ button and the cookie surprise
An article by Andreea Vlănțoiu published in the IAPP’s Privacy Advisor
Not many could have foreseen this outcome of July’s Fashion ID ruling. The Court of Justice of the European Union considered the site administrator in the case, a German online clothing retailer, as a joint controller together with Facebook regarding data processing through the “like” button embedded on the site.
The ruling was especially surprising because the site administrator had no access or control over the data collected by Facebook through the “like” and “share” buttons. In the end, the court considered the lack of access and control of site administrators but decided the joint controllership is brought on by the common commercial interest shared by the administrator and Facebook when using the “like” button.
Some of the not-so-obvious consequences of the Fashion ID ruling went largely unnoticed. Probably because the court’s news release was somewhat too concise to catch the subtleties. At first glance, the news release appears to confirm the court finally settled a longtime debate by recognizing the site’s capability to use network plugins based on legitimate interest.
The news seemed to be welcomed by the tech and privacy community worldwide as a relief from the burden of getting previous informed consent from the user. Especially as in the previous findings, the court maintained that Facebook’s processing of data appears to begin at the mere visiting of site, regardless of the user’s actual click on the “like” button or adherence to the social network, which makes previous and informed consent likely impossible.
So, the remaining debate was to establish whose legitimate interest it was — Facebook or Fashion ID. In principle, the court stated that both parties should be able to justify legitimate interest — a statement which was duly reproduced in the news release.
But, the court also stated something else: That the debate regarding whose legitimate interest it was was not relevant to the case, as long as the obligation to obtain consent, set out by the German national implementing law of the ePrivacy Directive, had not been observed.
The ePrivacy Directive, still in force, mostly aggravated by the national implementing laws and the data protection legislation are intertwined and need to be interpreted in a correlated manner. The same situation can also be found in Romania and probably many other EU member states, where the ePrivacy Directive was implemented in the way that consent was deemed mandatory. In such countries, the use of the social network plugins based on legitimate interest of the controller appears to be illegal, a fact which the Fashion ID ruling doesn’t fail to swiftly remind us of.
Therefore, the only remaining option seems, again, to rely on consent. Which, as previously analyzed, seems highly unlikely to obtain — at least not in a “previous and informed” fashion. Unless Facebook and the other social networks that provide plugins for websites begin to change the way that the plugins work in order to allow sites to properly inform the users and actually be able to require prior consent, the conclusion of the unseen parts of the Fashion ID ruling is a likely ban on the “like” and “share” buttons on all sites where the local implementing laws of the ePrivacy Directive oppose processing on other legal grounds then prior informed consent.
Another consequence of the Fashion ID ruling
Cookies and social network plugins fall in the same category of items deployed in the visitor’s terminal equipment. Not only are the “like” and “share” buttons to be used only with prior informed consent, but the same applies to cookies. Without pre-ticked consent boxes allowed by the EU General Data Protection Regulation, without “by the use of this site you have consented to our cookies” practice endorsed by the latest ICO guidance on cookies, the only legal remaining possibility is to either obtain explicit consent or not deploy cookies on the user’s device.
A huge number of sites — media sites, online malls, banks, you name it — should review their cookie modules and policies in order to align them to the now-clarified obligation to obtain previous informed consent, with an eye on the national implementing laws of the ePrivacy Directive of each EU state.
To draw a conclusion on what appears to remain the riddle of the Fashion ID ruling, the question of how the “like” and “share” buttons can be legally used in the countries where prior consent is mandatory but cannot be obtained prior to Facebook’s start of processing is still difficult to answer. As it appears, unless Facebook soon changes the way the social network plugin processes data, the site owners that choose to embed these buttons within their site currently face the risk of being exposed to fines or similar complaints like the one in Fashion IDs case.
Site administrators may want to take into consideration preparing to obtain prior informed consent, regardless of the member state they’re located in. At least in the view of the latest draft of the expected ePrivacy Regulation, which is to replace the current ePrivacy Directive.
Where the current ePrivacy Directive doesn’t by itself require consent from the user — this being just the modus operandi reached by some stricter standard member states when locally implementing the directive — the new ePrivacy Regulation takes a totally different stance on consent.
Of course, consent — prior and informed — will be required “to the extent that use is made of processing and storage capabilities of terminal equipment and information from end-users’ terminal equipment is collected for other purposes than for what is necessary.”
And no, there will be no need for any country to adopt any implementing law that might alter this requirement, as an EU regulation is directly applicable in each EU state, unlike the present ePrivacy Directive.