Websites and 3rd parties jointly liable in the EU
Yesterday, the Court of Justice of the European Union issued a Judgment of the Court of Justice in Case C-40/17 regarding the German website “Fashion ID,” which included a Facebook like button on their website. This judgment cannot be appealed.
The principle impact of the judgment is to clarify the joint responsibility for 3rd party data collection on a website. Not withstanding the difficulties that 3rd parties have getting in front of consumers to collect consent (or establish other legal bases) or the confusion that can arise when websites embed partners with complicated business models, the EU Court of Justice confirmed that both are independently liable for the impact of 3rd parties on the data subject, at least where the website is directly responsible for embedding the 3rd party’s technology.
Who is responsible for collecting consent? Either party. And both parties.
Note that the 3rd party likely engages in subsequent processing of the data that they alone are responsible for, so the website is not a joint controller with respect to everything the 3rd party does. Think of the joint obligation as pertaining to the initial placement of tracking assets. This is principally the ePrivacy Directive consent obligation, though in certain cases the joint liability may extend to certain GDPR processing activities.
If you found this piece valuable, please give us a few hearty claps and follow us for ongoing updates. We also welcome discussion — please leave your comments and feedback in a response below!
The Lucid Privacy Group actively manages privacy strategy and operations and serves as DPO for startups and rapidly scaling technology companies. We come at the issues with a pro-privacy, product and technology orientation, and can translate arcane legalese into real world, pragmatic terms. Drop us a line firstname.lastname@example.org or visit us on the web or Twitter.