Facebook Like, social sharing buttons on your website may land you in GDPR hot water if data goes a-wanderin'

In a case being considered by the European Court of Justice (CJEU), Advocate General Michal Bobek argued on Wednesday that website operators should share some responsibility with providers of embedded web widgets for ensuring that any data collection complies with legal requirements.

In other words, if you embed a Facebook 'Like' button or similar on your site, it's on you to make sure information collected through that button is all above board, in terms of legal privacy obligations, or else you're on the hook.

The case in question, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV, involves a German fashion retailer that placed a Facebook Like button on its website. As a result, visitors to that website provide data to Facebook, such as the visitor's IP address, browser identification string and any relevant Facebook-issued cookies, simply by loading the page.

Verbraucherzentrale NRW, a German consumer group, sought an injunction against Fashion ID in 2015 for its use of the Facebook Like button on the grounds that the widget's data collection violates the EU's Data Protection Directive (DPD) of 1995.

That law has since been replaced with the General Data Protection Regulation (GDPR) of 2016, which took effect in May this year, but remains applicable to this case.

In 2016, Fashion ID lost in a Dusseldorf regional court, and appealed to a higher German court, with Facebook joining in the appeal. The higher court then ask the CJEU to resolve questions about how the data rules should be applied. A CJEU decision is pending.

Bokek, whose role is to advise the court, would like the CJEU to treat website operators as joint controllers under the law. Verbraucherzentrale, in a post supporting Bobek's argument, says website operators should obtain the consent of site visitors before collecting data.

In June, the CJEU came to just such a conclusion in a similar case, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH.

That legal battle involved Wirtschaftsakademie, a business academy with a Facebook Page offering educational resources that, according to a local German data authority, failed to notify visitors of the present of data-collecting cookies.

The CJEU found that the operator of the Facebook Page was a joint controller of the data under the law, though liability isn't necessarily shared equally between the two parties. Following the decision, German data minders issued guidance for those operating Facebook Pages about their legal obligations.

In her analysis of the Wirtschaftsakademie ruling over the summer, University of Essex law professor Lorna Woods suggested the decision could dampen enthusiasm for third-party web widgets like Facebook Like and Google Analytics.

A rod to beat them with

"It may be less easy to get content providers to use these platforms if they come with a potentially hefty liability price-tag," she observed, allowing that it's unclear how liability might be apportioned between a company like Facebook and those using its technology. According to Woods, the shift from the DPD to the GDPR doesn't necessarily make this a purely historical legal battle. GDPR, she says, didn't dispense with the DPD entirely, and retains the concept of data controllers and joint controllers.

Facebook maintains its Like button and other plugins are lawful under the GDPR. But that claim looks likely to be tested in court.

The company's constant presence in the news for privacy problems over the past year may even encourage such complaints. This week alone saw:

• The results of an investigation by Mobilsicher, a German mobile privacy project, into how Facebook collects personal information from third-party apps via its mobile SDK. Apps that use this software kit beam back various bits of data about the user, including their location, to the antisocial network, once a user logs in via Facebook.
• A report by researchers who found that Facebook collects your location data, and thus figures out your whereabouts and who you hang around with, even if you try to disallow it by disabling all location tracking.
• A lawsuit filed against Facebook by the Washington DC Attorney General over the Cambridge Analytica scandal.
• A troubling data-sharing agreement between Amazon and Facebook.
• And, of course, those internal emails that showed Facebook granted various large corporations access to people's profiles when their friends linked apps to their accounts.

And there are still two more days left in the week. ®