If you do. Then you will be surprised to know that a recent judgement handed down by the European Court of Justice, is of direct interest to your business. I’ll bet you didn’t think that would happen when you woke up this morning. But it’s true.
The Judgement is generally known as the ‘Fashion ID’ judgement as it relates to a German company called Fashion ID who had a Facebook ‘like’ button embedded on their website. In this instance the ‘like’ button that was embedded allowed Facebook access to an individuals’ personal data when they visited the Fashion ID site, the problem was that the correct legal controls were not in place for this, and you didn’t have to even press the ‘like’ button for Facebook to have access to your personal data, simply visiting the site was enough.
The main point to note is that it was found by the Court that both Fashion ID and Facebook are to be regarded ‘joint-controllers’. Which has the effect that both the parties are in charge of the data for different purposes and means. With great power comes great responsibility they say, so what are those responsibilities?
- Firstly, it means that if you have a ‘like’ button on your website or on a Facebook page linked to your company, you need a joint-Controller agreement between yourself and Facebook outlining the basis of that relationship.
- Secondly; both parties need a clear legal basis for getting the data and processing it in the way that they do, including Fashion ID passing the data to Facebook. The key point to note here is that this legal basis must be independent from one another. So, if Fashion ID are relying on legitimate interests, Facebook must have their own legal basis also i.e. consent, legitimate interests etc…. and the individual must have a right to object to this processing. The legal basis on the part of the company transferring the data to Facebook must cover that transfer too.
- Thirdly, both parties, Fashion ID and Facebook, have to let the person who is browsing the Fashion ID website know that this all happening.
Therefore, a lot has to change in the way that many companies operate when agreeing to use ‘like’ buttons in the course of their business. If they don’t, someone is going to come after them and the companies that they deal with.
The case was taken by a German Consumer Protection Group Verbraucherzentrale NRW Ze (try spelling that after 5 pints and a ride on a rollercoaster) who argued that the consumer was being given the short end of the stick in this arrangement, both Facebook and Fashion ID were benefitting, but the consumer did not have their adequate say in the arrangement which did lest we forget concern all their personal data being transferred.
Rights Groups advocating in this manner could become a feature in Ireland too. It is outlined in the Data Protection Act 2018, which enacts GDPR in this country, that rights bodies may take cases of public interest also along with individuals or groups of individuals who may be directly affected.
So, consider yourself warned. Engage with Facebook to get a few ‘likes’ and you must abide by the law as is outlined in GDPR or you may well not like what you end up with: a world of fines, awards, legal fees, Data Subject Access Requests and long trips to the Data Protection Commission.