The CJEU handed down the ruling in their judgment of 29 July 2019 (cited as "Fashion ID (C-40/17)").  In this case, an online fashion retailer embedded a Like button on their website that collected and then transmitted visitors' personal information (think IP addresses, browser data, etc.) (herein "Personal Information") to Facebook automatically, with transmission apparently occurring without the visitor being aware of it, without the visitor having to be a member of the Facebook social networking platform and without the visitor having to click on the Like button itself.

To summarise for purposes of this post, the CJEU ruled that:

In other words, by embedding a plugin on its website that causes the collection and transmission of Personal Information to the plugin provider, the website operator acted as data controller as it determined the purpose and means of the collection and transmission of the Personal Information.  The designation as data controller in such a situation naturally carries with it several compliance obligations, but the website operator would only be liable in that regard up to the point that the Personal Information is transmitted through the plugin, and would not be liable for the actions of the plugin provider following transmission.

One such compliance obligation (among others) is that the website operator would have to obtain the consent of a visitor before the collection/transmission of the Personal Information, this being regardless of whether the Like (or similar) button is clicked or not.  Think of how websites eagerly ask you to confirm your cookie preferences these days – the same might soon occur with Like buttons and other plugins.  It would also be good practice for the website operator and plugin provider, as joint data controllers, to put a data sharing agreement in place, to contractually regulate their respective rights and corresponding obligations in respect of the Personal Information being collected and transmitted.

In South Africa, the Protection of Personal Information Act, No. 4 of 2013 (herein "POPIA"), while not yet fully in force, is substantially aligned with trends set by the EU, including its privacy laws.  In the context of the CJEU's ruling:

Given the substantial alignment between EU privacy law and POPIA, it is the writer's view that the CJEU's ruling would prove instructive in cases where South African website operators embed Like (or similar) buttons on their websites.  Looking ahead to the day when POPIA comes into full force and effect (herein "POPIA-Day"), South African website operators should heed the CJEU's ruling as our courts may very well follow suit if/when faced with similar issues.

As with just about anything, it always makes sense to rather plan ahead and put appropriate safeguards in place, than to only deal with issues as they arise.  In preparing for POPIA-Day, South African website operators should seriously consider putting a roadmap in place to ensure compliance with their privacy law obligations, including as prescribed under POPIA.  We've posted some thoughts developing such a roadmap before, which you can read  here: https://www.swart.law/post.aspx?id=44.