What the Facebook "Like" Button GDPR case ruling tells us about joint control

In July, the Court of Justice of the European Union adjudicated on the case of Fashion ID v ‘Verbraucherzentrale,' more commonly known as the Facebook “Like” button case. One of the key considerations of this case concerned whether a website operator embedding Facebook’s “Like” button on its website is considered a joint data controller with Facebook.

The court found that such a website operator can be a joint controller in respect of the collection and transmission of personal data. With that decision in mind, here we look at the ramifications for Awin’s position as joint controller with our publishers and advertisers.

The concept of ‘controller’

‘Controller’ refers to the entity that, alone or jointly with others, determines the purposes and means of the processing. As such, controller is a category that is intended to allocate responsibility to those making significant decisions over personal data and is less about actual technical control than decision-making powers. In this case, the court reiterated that “controller” is to be interpreted broadly, so that the objective of the provision – the effective and complete protection of data subjects – is ensured.

Awin’s position as controller is both a logical one based on the way transactions are tracked, queried and reported, as well as one that could potentially be considered as more effective in respect to the protection of data subjects’ rights.

Determining the purpose and means for joint control

Joint control is where several operators jointly participate in determining the purposes and means of the data processing.

Taking this principle in the context of the website operator, by embedding the Facebook ‘Like’ button on its site it enabled Facebook to obtain the personal data of its website visitors. On this basis, the website operator determined, jointly with Facebook, the purposes and means relating to the collection and transmission of the data of its website visitors.

We can draw parallels here with Awin’s position, whereby tracking data (considered to be personal data) is collected on publisher and advertiser sites via integration of tracking technologies and transmitted to Awin. Following the court’s reasoning, our advertisers and publishers jointly determine with Awin the means and purposes for the processing of data in relation to visitors to their respective websites.

The judgment is aligned with Awin’s approach in relation to joint control with our advertisers and publishers concerning the collection of tracking data via tracking code integration into advertiser URLs. 

The court reiterated that even a website operator who doesn’t have access to the personal data can be considered a controller. This is consistent with Awin’s position where, despite our publishers and advertisers not having access to all tracking data that is collected, each can be considered joint data controller with Awin.

Even if the website operator doesn’t have access to the data that is processed, that operator can still be a controller. 

The court determined, in respect of the subsequent processing that’s carried out by Facebook alone, that the website operator cannot be considered data controller as they do not determine the purpose and means of the processing after the data is transmitted to Facebook.

This situation can be contrasted with Awin’s where advertisers and publishers have joint economic interests together with Awin in the processing of tracking data that takes place after its initial collection and transmission. This, coupled with the way transactions are subsequently reported and reviewed by advertisers and publishers, results in joint control for the entirety of the processing.

The case can be differentiated from Awin’s situation in respect of the parties’ interests in the subsequent data processing and the way the data flows back to the parties involved. 

A note on joint liability

Another important point the court highlights is that each party’s level of liability under joint control must be assessed in the context of the relevant circumstances. Each party may be involved at different stages of the data processing and to different degrees, and equal responsibility therefore doesn’t necessarily follow from joint control. This corresponds both with existing guidance on the matter as well as the approach we take as a network when we partner with our advertisers and publishers.

Joint control does not necessarily imply equal responsibility. 

A final word

This latest judgment from the court addresses several matters that are relevant to the data processing Awin undertakes in our role as an affiliate network and for the services we provide. Given the previous lack of detail on this point, the varying positions of companies in the affiliate space and the frequent questions often raised in our discussions with advertisers and publishers, Awin welcomes the affirmations made by the court and the added clarity brought by the judgment.