The Fashion ID Case-Defining who a joint controller is

image credit: techcrunch.com

In the previous article, we read about Article 26 which defines who a joint controller is and the provisions relating to it. A precursor to the GDPR is Directive 95/46 which served as the Data Protection Directive for all matters related to privacy across Europe. The Fashion ID case is one such case which defines the term joint controller and who can be considered as one. 

Background:

Fashion ID is an online retail clothing company. For the purpose of achieving a wider customer base, it embedded on its website a Facebook plug-in. (Plug ins are a kind of software module that can be embedded on a website. It is provided by social media companies such as Facebook, Twitter, Google etc. with the objective of benefitting the website and the social media company). In this case, the access of the website would automatically enable data gathering by Facebook of the user irrespective of whether they had a Facebook account or not without taking the consent of the user. Upon being made aware of this matter, a public service association NRW filed a suit against Fashion ID.

Questions raised by the Court:

  1. Can a consumer protection association bring legal proceedings against an entity who has allegedly infringed personal data of a data subject?
  2. Is Fashion ID a controller despite it not being able to influence the processing of the personal data? Whose legitimate interest should be taken into consideration? The operator of the website or the provider of the plug in?
  3. Who should obtain the consent of the data subject? The operator of the website or the provider of the plug in?
  4. Is the duty to inform the responsibility of the operator of the website?

Findings of the Court:

It was determined by the court that a consumer protection association such as NRW can initiate legal proceedings in case of breach of privacy laws. Also, that Fashion ID is a joint controller along with Facebook Ireland because it is knowingly collecting data of the data subject and permitting the transmission of the personal data to Facebook. 

In the present case, the court came to the conclusion that Fashion ID and Facebook were both pursuing the legitimate interest of economic gains and both their legitimate interests shall be considered.

Coming to the point of consent and the duty to inform which is a very essential part of privacy law, it is the liability of Fashion ID to take consent of the data subject and also inform the data subject about the processing of personal data. 

Conclusion: 

From this case, we can understand that Fashion ID is also a joint controller along with Facebook despite it just embedding the social media plug-in on its website and not processing the personal data. This is because the purpose is jointly decided by both the parties i.e. commercial advantage. However, the liability of each of the controllers shall only be limited to the set of operations that it performs. 

References:

http://www.1914-1918-online.net

https://gdprhub.eu

https://europeanlawblog.eu

https://curia.europa.eu

https://www.osborneclarke.com

https://www.law.kuleuven.be

https://www.lexology.com