Yesterday, a significant judgement was made on the usage of Facebook’s ‘Like’ feature by third party websites. The Court of Justice of the European Union (ECJ) ruled that the operator of a third party website with an embedded Facebook ‘Like’ button can be held jointly responsible for the initial collection and transmission of the visitor’s personal data to its website, under the European Union’s General Data Protection Regulation (GDPR).
It also stated that “By contrast, that operator is not, in principle, a controller in respect of the subsequent processing of those data carried out by Facebook alone.”
This ruling was made in a case filed by a German consumer protection association, Verbraucherzentrale NRW against an online clothing retailer Fashion ID. The court found that the installed Facebook ‘Like’ button on a third party website allows Facebook to collect user’s information without their consent, irrespective of the fact that users did not click the button or were not part of the social media network.
According to the press release, the ECJ has set guidelines that third party website operators must seek consent from site visitors by clarifying the identity and purpose of the information transmission, before the data is handed over to Facebook. It also adds that for lawful purposes, operators “must pursue a legitimate interest through the collection and transmission of personal data in order for those operations to be justified in that regard.”
The ‘Like’ button feature, introduced by Facebook 10 years ago, is one of the most utilized features by users. The feature has also been adapted into most other social media platforms like Youtube, Twitter and Instagram. It makes sharing content or opinions about content on social platforms extremely convenient with a single click.
This ruling is significant because many online portals use the ‘Like’ button to make their products more visible on Facebook and do not bother about the consequences of data sharing with social media platforms. Last year, Facebook had notified the UK parliament that between April 9 and April 16, the ‘Like’ button appeared on 8.4M websites. This judgement comes as a warning to all third party websites, as they can no longer hide behind Facebook for their complicity in dodgy data gathering practices.
Last month, the BBC reported that Facebook uses information from the ‘Like’ button feature to not only alter newsfeeds and to apply behavioural advertising, but also to use it as a tool to target elections and manipulate people’s emotional state.
Addressing the court judgement, Jack Gilbert, Associate general counsel at Facebook, says that “Website plugins are common and important features of the modern Internet. We welcome the clarity that today’s decision brings to both websites and providers of plugins and similar tools.”
He further added that they are reviewing the court’s decision and “will work closely with our partners to ensure they can continue to benefit from our social plugins and other business tools in full compliance with the law.”
Facebook, which believes there’s no expectation of privacy on social media, has a record of trying to evade or delay justice by manipulating laws using legal loopholes. A GDPR-violation lawsuit filed against Facebook by a privacy activist went on for 5 long years as Facebook constantly questioned whether GDPR-based cases fall under the jurisdiction of courts, until it was rejected by an Austrian Supreme Court this year. Last year, a lawsuit was filed against Facebook over a data breach impacting nearly 30 million users. In response, Facebook argued that some of the leaked information were not sensitive. However, an appellate court in San Francisco ruled against Facebook’s appeal, last month.
When caught red-handed, Facebook has attempted to deploy their PR and lobbying juggernaut to turn verdicts in their favour. Two months ago, reports emerged claiming that Facebook allegedly pressured and “arm-wrestled” EU expert group to soften European guidelines for fake news. Facebook’s chief lobbyist, Richard Allan allegedly threatened the expert group by saying, “We are happy to make our contribution, but if you go in that direction, we will be controversial”, and would stop Facebook’s support for journalistic and academic projects.
We will have to wait and watch if Facebook and other social media & content platforms will comply with the GDPR data protection framework this time or will it again try to escape laws using its might.
EU finds publishers who use @facebook Like buttons on their sites can be held liable for some data/privacy malpractice. Will that cause publishers to get rid of Like buttons? If not, does that speak to FB's market power?https://t.co/ZBmz5i67Rc
— Max Moran (@MaxMoranHi) July 29, 2019
Does the EU have to do all the work for us? When will Congress stop mooning over tech companies and billionaire brats and start serious regulation of privacy violations?
— L Lewis (@PepperoniRollz) July 29, 2019
Some people are satisfied that the court ruling will ensure third party websites think hard before sharing user information with Facebook.
A user on Hacker News comments, “Good. I don’t want you telling Facebook I’ve visited your website.”
“The impact will be that if something goes wrong on the #data collection side, you (websites) may be on the hook as much as @Facebook is,” … #TimesUp #CyberSecurity #accountability #dataprivacy #ShameOnYou #blamegame
— Lisa M Guzzardi, RN (@LguzzardiM) July 29, 2019
— Karla Galt (@ChopinOpera) July 29, 2019
To tackle the plague of tracking in Facebook ‘Like’ button, open source developers are coming up with their own solutions. Social Share Privacy is one such plugin project in jQuery. It enables third party websites to disable the Like/recommend button on their websites, by default.
Read the Court of Justice of the European Union’s press release for more information.