Facebook’s ‘like’ button puts websites into EU privacy firing line
Websites with embedded social plug-ins are also liable to protect user data, court says
Websites using embedded social media plug-ins are jointly liable to protect users' data, the EU's top court has ruled.
Facebook’s “like” button makes third-party websites responsible for processing people’s data under the European Union’s privacy rules, according to the EU’s top court.
The EU Court of Justice weighed in on a dispute after an online fashion retailer was accused of violating EU law by embedding a “like” plug-in, which a local consumer association said allowed the social media company to collect data on the site’s users.
The owner of a website can be held jointly responsible for “the collection and transmission to Facebook of the personal data of visitors to its website,” the Luxembourg-based court said in a ruling on Monday. “By contrast, that operator is not, in principle, a controller in respect of the subsequent processing of those data carried out by Facebook alone.” The decision cannot be appealed.
The case has been closely watched by privacy lawyers who say many companies are unaware of the potential risks of being held jointly liable with tech giants such as Facebook for data they share with them by embedding a social plug-in, such as Facebook’s iconic ‘like’ button, on their website. Belgium’s data protection regulator said last year a ruling making websites jointly liable could have “serious repercussions” for website operators.
“Website plug-ins are common and important features of the modern internet,” Facebook’s associate general counsel Jack Gilbert, said in a statement. “We are carefully reviewing the court’s decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law.”
The case dates back to before the EU enacted much stricter privacy rules with its General Data Protection Regulation, or GDPR. Still, the concept of two companies being seen as joint controllers for data protection reasons remains relevant in the new rules, says Tom De Cordier, a technology and data protection lawyer at CMS DeBacker in Brussels.
He says there’s a high likelihood that big organizations use such technology that tracks users’ data in some form on their websites.
“The impact will be that if something goes wrong on the data-collection side, you may be on the hook as much as Facebook is,” he adds.