The CJEU ruling in a nutshell
The CJEU handed down the ruling in their judgment of 29 July 2019 (cited as "Fashion ID (C-40/17)"). In this case, an online fashion retailer embedded a Like button on their website that collected and then transmitted visitors' personal information (think IP addresses, browser data, etc.) (herein "Personal Information") to Facebook automatically, with transmission apparently occurring without the visitor being aware of it, without the visitor having to be a member of the Facebook social networking platform and without the visitor having to click on the Like button itself.
To summarise for purposes of this post, the CJEU ruled that:
- a website operator that embeds such a plugin on their website, which causes the collection and transmission of Personal Information to the plugin provider, can be considered a joint data controller of the Personal Information with the plugin provider under relevant EU privacy law; and
- the liability of the website operator in such circumstances would, however, be limited to its collection of the Personal Information and the transmission thereof to the plugin provider.
In other words, by embedding a plugin on its website that causes the collection and transmission of Personal Information to the plugin provider, the website operator acted as data controller as it determined the purpose and means of the collection and transmission of the Personal Information. The designation as data controller in such a situation naturally carries with it several compliance obligations, but the website operator would only be liable in that regard up to the point that the Personal Information is transmitted through the plugin, and would not be liable for the actions of the plugin provider following transmission.
One such compliance obligation (among others) is that the website operator would have to obtain the consent of a visitor before the collection/transmission of the Personal Information, this being regardless of whether the Like (or similar) button is clicked or not. Think of how websites eagerly ask you to confirm your cookie preferences these days – the same might soon occur with Like buttons and other plugins. It would also be good practice for the website operator and plugin provider, as joint data controllers, to put a data sharing agreement in place, to contractually regulate their respective rights and corresponding obligations in respect of the Personal Information being collected and transmitted.
The POPIA context
In South Africa, the Protection of Personal Information Act, No. 4 of 2013 (herein "POPIA"), while not yet fully in force, is substantially aligned with trends set by the EU, including its privacy laws. In the context of the CJEU's ruling:
- while you wouldn't be called a data controller for purposes of POPIA, section 1 of POPIA defines a "responsible party" as any "…person which, alone or in conjunction with others, determines the purpose of and means for processing personal information" (the writer's underlining for emphasis), which is effectively the equivalent of a data controller in EU terminology. Further, the definition of "processing" in section 1 of POPIA includes the "collection" and "dissemination by means of transmission" of Personal Information, which is also aligned with EU terminology; and
- as is the case with being designated as data controller for purposes of EU privacy law, the designation as responsible party for purposes of POPIA similarly carries with it the burden of several compliance obligations.
Given the substantial alignment between EU privacy law and POPIA, it is the writer's view that the CJEU's ruling would prove instructive in cases where South African website operators embed Like (or similar) buttons on their websites. Looking ahead to the day when POPIA comes into full force and effect (herein "POPIA-Day"), South African website operators should heed the CJEU's ruling as our courts may very well follow suit if/when faced with similar issues.
As with just about anything, it always makes sense to rather plan ahead and put appropriate safeguards in place, than to only deal with issues as they arise. In preparing for POPIA-Day, South African website operators should seriously consider putting a roadmap in place to ensure compliance with their privacy law obligations, including as prescribed under POPIA. We've posted some thoughts developing such a roadmap before, which you can read here: https://www.swart.law/post.aspx?id=44.