Companies that embed Facebook's "Like" button on their websites must seek users' consent to transfer their personal data to the U.S. social network, in line with the bloc's data privacy laws, Europe's top court said on Monday.
Website plugins such as Facebook's "Like" button are a common feature of online retail as companies seek to promote their products on popular social networks, but critics fear the data transfer may breach privacy laws.
The ruling from the Luxembourg-based Court of Justice of the European Union (ECJ) came after a German consumer body sued German online fashion retailer Fashion ID for breaching personal data protection rules via its use of the button on its site.
A German court subsequently sought guidance. ECJ judges said websites and Facebook share joint responsibility.
Under landmark EU data privacy rules adopted last year, a data controller determines why personal data must be collected and processed and also secure consent from users. A data processor only processes personal data on behalf of the controller and is usually a third-party company.
"The operator of a website that features a Facebook 'Like' button can be a controller jointly with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website," the judges said.
The German retailer benefited from a commercial advantage as the 'Like' button made its products more visible on Facebook, the court said, though it noted the company is not liable for how Facebook subsequently processes the data.
Facebook said the ruling sheds clarity on website plugins, calling them an important feature of the Internet.
"We are carefully reviewing the court's decision and will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law," Jack Gilbert, Facebook's associate general counsel, said in a statement.
Verbraucherzentrale NRW, the German consumer protection group which took Fashion ID to court, welcomed the ruling. "Companies that profit from user data must now live up to their responsibility," its head Wolfgang Schuldzinski said.
Germany's main technology industry association Bitkom however lamented the burden placed on website operators.
"The European court is imposing an enormous responsibility on thousands of website operators – from the small travel blog to the online megastore, as well as the portals of major publishers," said Bitkom head Bernhard Rohleder.
He said the ruling would not only affect websites with an embedded Facebook "Like" button, but all social media plugins, forcing their operators to reach data agreements or face liability for collecting the data of users.
The ruling is in line with strict data privacy laws adopted by the 28-country bloc last year, said Nils Rauer, a partner at law firm Pinsent Masons.
"The court was right in assessing whether Fashion ID had an interest in collaborating with Facebook by way of embedding the 'Like' Button," Rauer said, adding plugins will continue to be popular notwithstanding the judgment.
"Personally, I do not think that companies will turn away from embedding 'Like' buttons due to the judgment. Presumably, they will pay more attention to the embedding process, by way of obtaining dedicated data privacy advice," Rauer said.
The case is C-40/17 Fashion ID.
(Reporting by Foo Yun Chee, additional reporting by Doug Busvine in Frankfurt; Editing by David Holmes)
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.