Judge Urges Wide Liability Net on Facebook Data Collection

(CN) – Saying websites make a strategic business decision when they adopt a Facebook “like” button, an EU magistrate recommended Wednesday that they share responsibility with Facebook for the data collection that ensues.

The case here evolved from a suit brought by consumer advocates in Germany who belong to Verbraucherzentrale NRW. After the German e-retailer Fashion ID embedded a Facebook “like” plugin on its website, Verbraucherzentrale argued that EU data-protection laws supported its demand for an injunction.

Critical to Verbraucherzentrale’s claim, the “like” button causes Facebook to gather data on Fashion ID’s website visitors, regardless of whether the visitors click the button. The transfer to Facebook occurs automatically, even if the user does not have a Facebook account, sending along the IP address and browser string of any user who lands on Fashion ID’s website.

While the case will eventually be settled by the European Court of Justice, Advocate General Michal Bobek recommended to that Luxembourg-based body on Wednesday that it hold the website jointly responsible for the collection and transmission of user data.

In his nonbinding opinion, Bobek focused on the practical reason why Fashion ID installed the Facebook button: “to increase visibility of the defendant’s products via the social network.”

While Facebook may use the data for its own commercial purposes, Bobek said both companies can be said to be “pursu[ing] commercial purposes in a way that appears to be mutually complementary.”

“It thus appears that the defendant and Facebook Ireland co-decide on the means and purposes of the data processing at the stage of the collection and transmission of the personal data at issue,” he wrote. “To that extent, the defendant acts as a controller and its liability is, to that extent as well, joint with that of Facebook Ireland.”

Bobek also emphasized, however, that Fashion ID’s liability “cannot spill over into any potential subsequent stages of data processing, if such processing occurs outside [its] control and, it would appear, also without [its] knowledge.”

Opining on Fashion ID’s disclosure responsibilities, Bobek said the website “clearly appears to be in a position to provide information about the identity of the joint controllers, about the purpose of the respective stage of the processing (the operation(s) over which it has joint control); and also about the fact that those data will be transferred.”

Bobek disagreed with the input by the European Commission, however, “that those of the visitors who have a Facebook account may have previously consented to such a transfer occurring.”

“I find it difficult to accept the idea that there should be differentiated (less protective) treatment in respect of ‘Facebook users’ in the circumstances of the present case because they would have already accepted the possibility of (any and all of) their personal data being processed by Facebook,” Bobek wrote. “Indeed, such an argument implies that upon opening a Facebook account one accepts in advance any data processing with regard to any online activity of such ‘Facebook users’ by any third party having whatever connection with Facebook. That is so even in a situation in which there is no visible sign of such data processing occurring (as seems to be the case when one simply visits the Defendant’s website). In other words, accepting the Commission’s suggestion would in effect mean that by opening a Facebook account, a user has actually waived any protection of personal data online vis-à-vis Facebook.

“I thus consider that the liability and the ensuing consent and information obligations of the Defendant should be the same vis-a-vis the data subjects irrespective of whether or not they have a Facebook account.

“Furthermore, it is again clear that that consent has to be given and information provided before the data are collected and transferred.”

%d bloggers like this: