By René Mahieu and Joris van Hoboken
Introduction
Fashion ID revolves around a German consumer protection organization, Verbraucherzentrale NRW (a public service organization), which filed a lawsuit against Fashion ID, an online fashion shop, about the placement of a Facebook “Like” button on the shop’s website. The inclusion of the like-button on Fashion ID’s website results in the transmission of personal data to Facebook’s servers when a visitor enters the website. This happens (i.) without the visitor being aware of that, (ii.) regardless of whether the visitor is a member of Facebook, and (iii.) regardless of whether the visitor actually clicks the like-button. According to the Verbraucherzentrale, the website operator has not provided information, nor collected consent for this processing of personal data, in accordance with its obligation under the Data Protection Directive (DPD).
After litigation about the matter in Germany, the higher regional court of Düsseldorf referred six questions to the European Court of Justice (ECJ). The first question referred to the ECJ is whether a consumer protection organization can bring a data protection case. The Court finds that member states have the discretion to allow consumer organizations, representing the interests of citizens, to bring legal proceedings. It finds that member states in general have a wide discretion when it comes to implementing directives, and are free to choose the implementing measures as long as they ensure that their national law effectively transposes the objectives of EU law. This is the case here, according to the Court, since allowing consumer organizations to bring cases supports the effective and complete protection of the fundamental rights and freedoms of data subjects. The Court also finds support for this argumentation in the fact that the GDPR explicitly allows member states, under Art. 80(2), to provide for the ability of non-for-profit organizations to bring legal proceedings, independently of a data subject’s mandate.
The following questions concern different aspects of the division of responsibility in cases where multiple actors (here Facebook and Fashion ID) are involved in the processing of personal data. In particular, the ECJ is asked (i.) whether a website operator that embeds a social plugin, causing the browser of visitors to transmit personal data to the provider of the plugin, is a joint controller, given that it has a very limited influence over the processing of data and (ii.) which one of the joint controllers is responsible for providing information to and collecting consent from the website visitor.
It’s the third recent case in which the ECJ has been asked to clarify the concept of (joint) controller, which is central to the DPD as well as the GDPR. This determination gets to the heart of a fundamental question for any form of regulation: who is responsible for upholding the law, and how far does this responsibility reach? Moreover, while the case has been decided under the regime of the DPD, it is still relevant under the GDPR because the notion of joint control and the system for the division of responsibilities among joint controllers have been clarified in some respects in the GDPR, but remained essentially unchanged.
Findings
Following its previous judgments (Wirtschaftsakademie and Jehovan Todistajat), the ECJ concludes that Fashion ID is a joint controller together with Facebook. It re-states the principle that an actor who has influence over the processing of personal data, and processes it for its own purposes, has to be qualified as a controller. By deciding to embed the plug-in, to “benefit from the commercial advantage consisting in increased publicity for its goods” (para 80), ”Fashion ID exerts a decisive influence over the collection and transmission of the personal data […] to Facebook Ireland, which would have not occurred without that plugin” (para 78). In applying this principle, the Court presents three supporting arguments. First, it states that a broad notion of ‘controller’ is needed to support the overall aim of data protection legislation. Second, the directive explicitly includes the possibility of joint control. Third, an entity can be a joint controller, even if it does not have access to the personal data which is being processed.
The Court subsequently finds that Fashion ID is a joint controller only with respect to two stages of the processing: The collection of personal data and disclosure by transmission of those data. With this conclusion, the ECJ follows the opinion of Advocate General Bobek: a natural or legal person may be a joint controller exclusively with regard to the operations for which it determines jointly the purposes and the means of the processing of personal data. Fashion-ID is then responsible for the collection and transmission of the personal data, but not for the subsequent processing that Facebook carries out (para 76).
In answer to the questions of the referring German court concerning the division of responsibilities among the joint controllers, the Court decides that Fashion-ID has to provide information to and collect consent from the data subject. However, these obligations are limited to the collection and transmission of personal data – the processing activities for which it is a (joint) controller (paras 100-101). It argues that Fashion-ID – rather than Facebook – has the duty to comply with these obligations, because the consent and information have to be given before the collection and transmission of personal data to Facebook, which occur when someone visits its website (para 102).
Analysis
The legal significance of the Fashion-ID judgment lies in the further development of the principles for assigning responsibility in cases of joint control. In Wirtschaftsakademie the Court had stated that: “operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case”. But the ECJ left it to the referring court to determine the extent of the responsibilities of the Facebook fanpage administrator. It did so because, as we noted elsewhere, there is no clear mechanism for allocating responsibility in cases of joint control. Fashion ID is the first case in which the Court does assign specific responsibilities in a situation of joint control based on an analysis of the data processing stages in which that controller is involved.
The Wirtschaftsakademie case applies what one could call a “a phase-oriented approach” to the governance of personal data processing operations. This is the approach according to which the determination of whether an entity qualifies as a (joint) controller as well as the specific responsibilities of such a controller are tied to different phases of the data processing that is taking place. In Wirtschaftsakademie, the Court held, following the opinion of Advocate General Bot, that where two operators are joint controllers, “those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case.” (para 43). In other words, the Court introduced the principle that the responsibility of a controller should be dependent on the stages of the processing in which it is involved and on the degree of this involvement.
This idea of phase-oriented data protection is not new. It was already proposed in Germany in the 1970’s by Steinmüller and Lutterbeck in “Grundfragen des Datenschutzes”, an important expert opinion delivered to the German Ministry of the Interior in preparation for the first German federal data protection legislation. As Pohle (2014) argues, the strength of the phase-oriented model lies in it being a reductionist model that simplifies the analysis of complex systems. At the same time, the application of this approach to the GDPR unveils some of the limits of the method itself.
First, limiting responsibilities to individual phases of data processing creates the problem of losing sight of the bigger picture, when it comes to the societal risks posed by complex, networked, personal data processing systems such as in the case of a service provider like Facebook. In other words, the effects on and the risks for the rights and freedoms of individuals of such complex systems, are – as a whole – much bigger than the mere sum of the risks connected to the individual processing phases.
Second, European data protection legislation is not developed on the basis of a phase-oriented analysis. Article 4(2) of the GDPR, to which the Court refers in identifying the different phases, defines processing as any operation performed on personal data and gives a list of examples of operations which constitute such processing. This list of examples was never intended as a systemic classification of the different phases of data processing or as a methodology for determining the proper unit of analysis for determining responsibilities and compliance questions. Applying a phase-oriented approach without having a proper framework for dividing up complex data processing operations into different phases (or stages, as the Court refers to in paragraphs 70 and 72) or a way to consistently assign specific responsibilities to these phases is bound to create serious legal uncertainty. For these reasons it is questionable whether the goal of effective and complete protection of the fundamental rights and freedoms of data subjects can be attained in this way. At the very least, pursuing this goal will require a lot of analytical work and interpretation in practice.
Let’s use an example to illustrate how the fundamental principle of data protection that is at stake in the Fashion ID case, transparency, is difficult to square with the phase-oriented approach.
Providing information that is restricted to one particular phase (or stage) of data processing cannot uphold the principle of transparency and fairness. According to Art. 13(1)(c) GDPR, information has to be given to the data subject about the purposes of the processing. In the judgment at issue, the Court applies art. 13 GDPR when deciding that the information that Fashion ID has to provide, and the consent it must ask for, is limited to the collection and transmission of the personal data to Facebook. According to Art. 13(1)(c), information has to be given to the data subject about the purposes of the processing. However, it should be highlighted here that the purposes of Fashion ID’s processing go far beyond these initial two operations. In fact, it can be argued that the purpose of Fashion ID in collecting and transferring the personal data includes from the very beginning the elaborate further processing that Facebook performs. For example, the cookies related to the like button allow Facebook to track that an individual has visited the Fashion ID website, and through further processing of that information, enables Fashion ID to show advertisements on Facebook specifically targeted to those people who previously visited its website. Moreover, this information, combined with tracking that is happening on other websites, is used to create detailed profiles of individuals and to further optimize the targeting that takes place on Facebook.
In light of this, since these types of further processing by Facebook contribute to the purpose of the collection of the data by Fashion ID – as they enhance the visibility of its own products on Facebook – it can be concluded that in order to comply with Art 13(1)(c) GDPR, Fashion ID would have to provide information about this further processing. In fact, restricting transparency to a stage of the processing (collection and transmission of personal data) that is inherently instrumental to further stages of processing, creates significant theoretical and practical issues for answering the underlying question about the legitimacy of such processing properly. According to a recent Article 29WP guidelines on transparency, “controllers should […] spell out in unambiguous language what the most important consequences of the processing will be”. By decoupling data processing operations that form a systemic whole in this way, the consent that data subjects are asked to provide is even less meaningful than would be the case otherwise.
Let’s also consider for a moment the alternative, i.e. situation in which the website operator would be considered jointly responsible for the further processing of personal data by Facebook. In such cases, the ability of joint controllers to provide relevant information about the further use of personal data is dependent on the willingness of Facebook to provide sufficient information in the first place. According to recommendation 03/2017 of the Belgian DPA, the information which Facebook provides about its use of cookies and related technologies is insufficient. It can reasonably be argued that, as long as this is the case, a web-site operator (which transmits data to Facebook, and therefore makes the processing by Facebook possible) is therefore also not able to provide sufficient information in connection with such processing. Strictly speaking, as long as such information is not provided it should simply not be permitted. In fact, it’s hard to see how these data gathering practices, in particular also from data subjects that are not Facebook members, can be considered necessary, proportionate and compliant under data protection rules. While there needs to be a way to differentiate the responsibility of the different actors, doing this by completely absolving one actor from the responsibility regarding further processing that forms an integral part of the initial processing, does not serve the main aim of European data protection legislation. Instead differentiation could better be sought in differentiating the enforcement measures that are sought against different actors.
To conclude, dividing up complex data processing operations, such as those that Facebook carries out, into separate processing-phases, may be helpful to put a limit to the responsibility of other entities involved in these processes. Nevertheless, this solution may not be very helpful in creating transparent and fair data processing toward data subjects. Data protection law lacks a clear system for determining the distribution of responsibilities in situation were multiple actors are involved in the processing of personal data (Van Alsenoy 2019). But the way in which Fashion ID resolves this, by creating a phase-oriented approach to data protection governance, creates more problems than it solves.