CJEU hands down an important decision on web tracking cookies
The European Court of Justice (CJEU) has today (5 June 2018) handed down a judgment emphasising that website owners and fan-page administrators must be alert to the privacy implications of third party scripts operating on their websites. These owners and administrators will bear at least some of the regulatory responsibility for the resultant personal data processing. With that in mind, website operators should review the data processing practices of third parties who drop cookies via their website.
The use of analytics and tracking technologies on websites is commonplace. By permitting third party scripts website owners typically receive anonymous statistical information about website usage which can assist in optimizing website design. However, from the perspective of the analytics provider the information obtained via one website is simply one facet of the wider collection of data from number of sources. In their hands the data is not anonymous but can be used to build a detailed picture of users and to target advertising at them.
The website owner which receives only anonymous statistics may not have regarded that as personal data and may have discounted the possibility that they were a data controller in respect of any of the identifiable data processed by the analytics provider. Designation as a controller brings with it exposure to regulatory enforcement for any infringement of data protection law in respect of the processing of the analytics data. Is it correct that the website owner is not a controller in respect of personal data processed by the analytics provider via that website?
That is broadly the question which arises in two cases before the CJEU. The decision in the FashionID case, which arises in the context of the deployment of Facebook ‘like’ buttons on a website, is awaited. However, the CJEU has today handed down its decision in another case involving a Facebook fanpage using the Facebook ‘Insights’ tool.
The Court has endorsed the views, previously expressed by Advocate General Bot, that both the fanpage administrator and Facebook are controllers of the personal data. The Court noted that the fanpage administrator does not escape that designation simply because the data which it receives is anonymous. They noted that there can be joint responsibility of a number of controllers without each of them having access to the personal data. The Court emphasized that joint liability does not mean equal liability. The level of responsibility must be assessed on a case by case basis taking account of the relevant circumstances. The CJEU was not required to determine where the line was drawn in this case.
This judgment comes amidst news of privacy and security enhancements in Apple’s iOS 12 including tracking prevention tools. These join a variety of other tools available to web users to block cookies and tracking technologies. However, putting greater control in the hands of website users will not absolve website owners of their responsibilities which are brought into sharp focus by today’s judgment.
 Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV (Case C-40/17)
 Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd, Vertreter des Bundesinteresses beim Bundesverwaltungsgericht
This briefing is for guidance purposes only. RadcliffesLeBrasseur accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.