The European Court of Justice has imposed stricter requirements on website operators for „Like“ buttons.
What happens when you use the „Like“ button? By integrating the „Like“ button into a website, the user's IP address and browser string are collected each time the website is accessed and sent to Facebook's European headquarters in Ireland. This applies to any website where this button is integrated, irrespective of whether it is operated directly by Facebook or by an independent third party. The button does not even have to be actively clicked for the personal data to be transmitted. After the website operator has integrated the plug-in, there is no longer any possibility for him to influence the further data processing processes.
In the specific case, the ECJ dealt with a legal dispute between Verbraucherzentrale NRW e.V. and the online fashion retailer Fashion ID GmbH & Co. KG about the use of the „Like“ button. In the context of the ruling, the European Court of Justice declared that the integration of social plug-ins establishes a joint responsibility of the website operator and Facebook (European Court of Justice, ruling of 2019/07/29 – C-40/17 Facebook „Like“ button – Fashion ID). The joint responsibility requires an agreement between website operator and social plugin provider which meets the requirements of Art. 26 GDPR (joint control agreement).
Website operators are therefore jointly responsible under data protection law for the integrated content of third parties. In future, the website operator should therefore obtain the consent of the website visitor in accordance with Art. 6 para. 1 lit. a GDPR – before data is transferred to Facebook.
Furthermore, the data protection declaration must be adapted to fulfill the information obligations of Art. 6 para. 1 GDPR. The question of liability for breaches of data protection remains risky. If a joint control agreement has been concluded - as required - Art. 26 para. 3 GDPR stipulates that the data subject can assert the rights to which he is entitled under the GDPR against all parties responsible. The website operator is therefore also liable for data protection violations committed by Facebook. The website operator can only release himself from liability by not including the „Like“ button.
The Facebook fan page was also a case for the court. In proceedings before the Federal Administrative Court, the court dealt with a complaint by the data protection supervisory authority about the operation of a Facebook fan page by the Wirtschaftsakademie Schleswig-Holstein, which is organized under private law. In this case, the Federal Administrative Court had appealed to the European Court of Justice (Federal Administrative Court, ruling of 2016/02/25 - 1 C 28.14, Schleswig Higher Administrative Court, Schleswig Administrative Court, ZD 2016, 393). The ECJ had decided that the Facebook fan page operator – in this case the Wirtschaftsakademie Schleswig-Holstein – should be deemed jointly responsible together with Facebook (ECJ, ruling of 2018/06/05 – C-210/16 – ULD Schleswig-Holstein/Wirtschaftsakademie Schleswig-Holstein, ZD 2018, 357).
The Bavarian State Office for Data Protection Supervision (BayLDA) is initiating the start of proactive website inspection. Thomas Kranig, the president of the BayLDA, announced in September 2019 at an exchange of experience forum of the German Association for Data Protection and Data Security (Gesellschaft für Datenschutz und Datensicherheit e.V.) that the Bavarian data protection supervisory authority is planning to prohibit website tracking and issue accompanying fines against a number of companies. In the process, the authority will carry out an extensive inspection of the websites using automated tools. It is therefore advisable to have your own website checked for legal conformity by a certified data protection officer.