Initial situation
Many website operators do not load all the content of their website from their own web server. Rather, third-party services are integrated in such a way that the website visitor's browser loads some content directly from third-party servers.
Examples:
- font files from Google Fonts or Adobe Fonts
- Maps using Google Maps, Bing Maps or Apple Maps
- Social media buttons such as Facebook's Like button
- statistics tools such as Google Analytics
- ... and much more
Why is this ALWAYS a data protection issue?
In order for the visitor's web browser to load the data from the third-party server, it must report to the third-party server using the IP address of the visitor's Internet connection, and the IP address is processed on the third-party server at least in order to deliver the requested data. The IP address is information that can be linked to a person and is therefore subject to data protection laws, i.e. the DSGVO (General Data Protection Regulation). The visitor's browser also sends further data. In addition, many third-party providers use cookies to recognize visitors across multiple websites.
Which service was the subject of the judgment?
The ECJ ruled on the Facebook Like button on July 29, 2019, even though the importance of Facebook is increasingly declining and in this respect the ruling is no longer entirely timely. However, the ruling provides many clues for other third-party services.
Accountability – why is this important?
To understand the ECJ ruling, you need to know why the topic of "responsibility" is important in data protection.
The controller is not only responsible for data processing and can be held liable for violations of the law, but also has the following obligations:
- assessing the lawfulness of the data processing operation, obtaining consent if necessary
- Duty to instruct the data subjects
ECJ judgment on responsibility
In its judgment in Case C-40/17, the ECJ developed a differentiated view:
The website operator is always jointly responsible for the transfer of data to the third-party provider. They are also jointly responsible for everything that happens at the third-party provider if they can influence it.
In this context, "jointly responsible" means that both the third-party provider and the website provider have joint responsibility. It follows from this that these two must conclude a joint controllership agreement in accordance with Art. 26 GDPR. The essential contents of this contract must then also be communicated to the data subjects, so it must be included in the privacy policy of the website that integrates the third-party service.
Impact in practice
The website operator must at least always check, ensure and inform the data subject about the lawfulness of the data transfer to the third-party provider.
He thus begins with Art. 6 para. 1 GDPR and determines a legal basis. Beware of: Art. 6 para. 1 sentence 1 lit. f GDPR - the overriding legitimate interest of the website provider. As a rule, this will not be a suitable legal basis, as the data protection conference in March 2019 has worked out. Often the only option is to obtain consent before the first transfer of data to the third-party provider. When giving consent, it is often not considered how detailed the data processing must be described and that this cannot simply be done by adding a passage in the privacy policy. The typical cookie banners in their current form are in any case not suitable for obtaining consent. Technically, the chronological order - first obtain consent, then execute third-party service - is rarely observed.
When it comes to the legal basis, you also have to check where the data is technically processed. The world as a cloud is not the perspective of the General Data Protection Regulation. If data is transferred or processed outside the EU, this is only possible under strict conditions.
The website operator must also provide information about the data processing in his data protection declaration, at least during the transmission, and provide a great deal of individual details. At least, according to the ECJ ruling, he no longer has to instruct on how the third-party provider then handles the data (only in his own interest) - unless the website operator also has influence on this.
Agreements in accordance with Art. 26 GDPR must be concluded to an increasing extent, because joint responsibility is something that the large internet providers still shy away from, even about a year after the ECJ ruling on Facebook fan pages.
Final assessment
It has become somewhat easier to integrate third-party services into your own website, but the ECJ ruling does not constitute a carte blanche.
The statements represent initial information that was current for the law applicable in Germany at the time of initial publication. The legal situation may have changed since then. Furthermore, the information provided cannot replace individual advice on a specific matter. Please contact us for this purpose.