Fashion ID and Facebook – The EU Court Ruling

On the 29th July 2019 the Court of Justice of the European Union (the Court) passed its preliminary ruling on a case being tried at The Oberlandesgericht Düsseldorf (Higher Regional Court, Düsseldorf, Germany). The case was Fashion ID, a German online clothing retailer, against a claim brought by Verbraucherzentrale NRW (VNRW), a German public-service association.

Fashion ID had embedded on its website the Facebook ‘like’ button. This meant that when a visitor opens Fashion ID’s website, that visitor’s personal data was then transmitted to Facebook (Ireland). This happened, whether or not the data subject was a member of Facebook and regardless of whether the person had used the ‘like’ button.

The Claimant criticised this transmission of data for two reasons; firstly that it had been done without  the data subjects consent; and secondly, that the transmission breaches ‘the duties to inform’, as set out in the provision, relating to the protection of personal data, from the Data Protection Directive of 1995, which is the relevant legislation for this case.

So what does the Courts preliminary ruling state?

(Consumer) Protection associations can bring legal proceedings against alleged infringements of protection to personal data.

This ruling allows for the claimant to bring legal proceedings, on behalf of those individuals affected by Fashion ID’s actions. The Court also notes that the current legislation, General Data Protection Regulation (GDPR), does now expressly provide for this possibility. The main consumer protection association in the UK is the CPA.

A business can be considered a joint controller with a social media site.

Fashion ID is considered a joint data controller with Facebook in the respect of the data being transferred to Facebook from Fashion ID, as both parties would be involved in the decision to transfer the data from one site to the other.

However, the Court has been clear that Fashion ID cannot be considered responsible, as a controller, in respect of the processing of data, after the data had been transferred to Facebook.

An organisation must obtain prior consent, before collecting/transmitting data, even when it is the joint controller for this data.

In the new age of data protection, consent is extremely important. Organisations are no longer able to take action, in regards, to an individual’s information without the prior consent to do so.

While consent is more loosely defined under the Data Protection Directive (as it allowed for opt-out consent mechanisms) consent is still required by each controller in the respect of how they will use the data they intends to collect.

Under GDPR consent as defined in Article 4(11), consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

It is important for all businesses to make sure that their consent mechanisms are up to date with legal requirements as well as any ICO guidance; such as the recent guidance on cookies.

The Court recognises legitimate interest as a method of processing data without consent however, the interest must be proved.

The Court found that for each of the joint data controllers, to use legitimate interest, they must first prove a legitimate interest, for the collection and transmission of personal data in order to be complaint. This means that you have to prove a legitimate interest before acting upon this as a legal reasoning.

The Court is also highlighting on how legitimate interest must be used to process data that is only necessary for that particular interest. Meaning that information outside of this interest cannot be processed in anyway without the express consent from the data subject.

This isn’t revolutionary, but many businesses do not conduct the necessary legitimate interest assessments before using legitimate interest as grounds for processing data.

How does this effect my business?

The take away from this ruling is that organisations need to check their methods of third party data sharing. Do any of these agreements make the organisation a joint controller? If this is the case you need to ensure that the appropriate safeguards are in place to protect your data subjects, and as a result protect your organisation from being liable due to negligence.

It is important to remember the fines issued by the ICO in the last month; they highlight how regulators are taking action against organisations who have acted in breach of data protection laws. It is no secret that these fines could be crippling to an organisation so it is better to act now instead of face a potential punishment later.