When a ‘Like’ Is Not a ‘Like’: A New Fragmented Approach to Data Controllership
| DOI | http://doi.org/10.1111/1468-2230.12537 |
| Published date | 01 July 2020 |
| Date | 01 July 2020 |
| Author | Genna Churches,Monika Zalnieriute |
bs_bs_banner
Modern Law Review
DOI: 10.1111/1468-2230.12537
CASES
When a ‘Like’ Is Not a ‘Like’: A New Fragmented
Approach to Data Controllership
Monika Zalnieriute ∗and Genna Churches †
In Fashion ID, the Court of Justice of the European Union (‘CJEU’) held that an operator of
a website featuring a Facebook ‘Like’ button is a data controller under EU Directive 95/46
(‘Directive’) jointly with Facebook in respect of the collection and transmission of the personal
data of website visitors to Facebook, but Facebook alone is a data controller for any subsequent
data processing. While the CJEUs expansive interpretation of joint controllership aims to leave
‘no gaps’ in the protection of individuals, we question whether the proposed solution to
‘fragment’ controllership into different stages of processing helps to achieve that goal. We argue
that CJEUs ‘fragmented’ approach is incompatible with the GDPR, as it does not reveal the
intended purposes of data processing, and thus negates informed and specific consent. We suggest
that such ‘fragmentation’ undermines the consistency,predictability and transparency of EU data
protection law by obscuring the pervasiveness of data commodification in the digital economy.
INTRODUCTION
Political and legal institutions, as well as the mainstream public, are beginning
to grasp the enormous power so-called ‘big tech’ – or more accurately, ‘big
advertising’ – exercise over our social, political and economic lives through
data commodification and manipulation. Facebook, Google, Amazon, and a
range of other companies are under intensifying pressure to ensure their data
collection and processing complies with data privacy protections and is not used
for unethical purposes.1These heightened levels of public engagement on data
privacy issues and increased scrutiny of advertising and tech companies began
after the Snowden revelations in 2013, and was recently re-energized by the
∗Fellow and Leader of ‘Technologies and Rule of Law’ ResearchStream, Allens Hub for Technology,
Law, & Innovation, Faculty of Law, UNSW Sydney, Australia.
†PhD Candidate, Member, Allens Hub for Technology, Law, & Innovation, Faculty of Law, UNSW
Sydney, Australia. The authors are grateful for insightful comments and constructive feedback that
anonymous reviewers provided on earlier drafts.
1 Many recent enforcement actions brought by the US and EU regulators illustrate this trend,
see, for example, European Commission Press Release, ‘Antitrust: Commission fines Google
€1.49 billion for abusive practices in online advertising’ (IP/19/1770, 20 March 2019); Federal
Trade Commission v Google LLLC and Youtube LLC, [2019] FTC Case No 1:19-Cv-02642,
Federal Court: District of Columbia; Federal Trade Commission v Facebook Inc, [2019] Case No
19-cv-2184, Federal Court: District of Columbia.
C2020 The Authors. The Modern Law Review C2020 The Moder n LawReview Limited. (2020) 83(4) MLR 861–876
When a ‘Like’ Is Not a ‘Like’
Cambridge Analytica and 2016 US Election interference scandals.2Even the
US seems to be shifting with California enacting a comprehensive data privacy
law.3Meanwhile the CJEU continues to exert its prominent role in ensuring
high levels of protection for personal data of individuals. Recently, it delivered
several high-profile decisions on platforms’ responsibility for removing harmful
content,4the passivity and specificity of consent required for cookies,5and even
revisited the geographical scope of the (in)famous ‘right to be forgotten’.6
The prominence of data privacy issues in political and judicial agendas has
been described as a constitutional moment for data privacy in the EU and
USA.7In this rapidly evolving environment, on 19 January 2017, the Higher
Regional Court of D ¨
usseldorf (‘Higher Regional Court’) requested the EU
judicature to ascertain whether an online retailer website with an embedded
Facebook ‘Like’ plug-in, was a data controllerfor the pur poses of the Directive.8
The Fashion I D ruling,9delivered on 29 July 2019 by the Grand Chamber of
the CJEU in response to this request, represents a powerful clarification of the
contours of joint data controllership, with significant implications for website
operators, social media platforms, the digital economy as well as the rights of
individuals.
It is impossible to discuss all aspects of this judgment in the limited space
provided. Instead, we focus on the implications of novel jurisprudence de-
veloped in Fashion ID – the ‘staged’ allocation of responsibility or what we
term a ‘fragmented’ approach to joint data controllership. While the CJEUs
expansive interpretation of joint controllership in Fashion ID aims to leave ‘no
gaps’ in the protection of individuals, we question whether the Court’s so-
lution ultimately achieves that goal. We argue that limiting the responsibility
of joint controllers by ‘fragmenting’ controllership into different stages of data
processing is incompatible with the GDPR, as it does not reveal the intended
purposes of data processing, and thus negates informed and specific consent. That
is, such limited responsibility fails to account for the ‘bigger picture’ of data
2 See, for example, UK House of Commons, Digital, Culture, Media and Sport Committee,‘Dis-
information and ‘fake news’: Final Report’, Eighth Report of Session 2017–19 (14 February
2019); United States Senate, Select Committee On Intelligence, 116th Congress, 1st Session Senate,
116-Xx ‘United States Senate on Russian Active Measures Campaigns and Interference in the
2016 US Election’ (2019).
3 California Consumer Privacy Act of 2018 § 1.81.5. [Cal. Civ. Code § 1798.100–1798.199].
4Eva Glawischnig-Piesczek v Facebook Ireland Limited (Case C–18/18) [2019] ECLI:EU:C:2019:821.
5Bundesverband der Verbraucherzentralen und Verbraucherverb¨
ande–Verbraucherzentrale Bundesverband eV
v Planet49 GmbH ECLI:EU:C:2019:801 (‘Planet49’).
6Google LLC v Commission nationale de l’informatique et des libert´
es (CNIL) (Case C–507/17) [2019]
ECLI:EU:C:2019:772.
7 See, for example, M. Zalnieriute, ‘An international constitutional moment for data privacy in the
times of mass-surveillance,’ (2015) (23(2) International Journal of Law and Information Technology
99; N.M. Richards and W. Hartzog, ‘Privacy’s Constitutional Moment’ 23 August 2019 at
<https://ssrn.com/abstract=3441502 (last accessed 10 April 2020).
8 Pursuant to Article 267 of the Consolidated Version of the Treaty on European Union [2008]
OJ C115/13 (‘TFEU’); see Oberlandesgericht D ¨
usseldorf, Beschluss vom 19.01.2017 - I-20 U
40/16, at https://openjur.de/u/2157759.html (last accessed 10 April 2020); Directive95/46/EC
of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such
data [1995] OJ L 281/31 (Directive).
9Fashion ID GmbH & Co.KG v Verbraucherzentrale NRW eV ECLI:EU:C:2019:629 (Fashion ID).
862 C2020 The Authors. The Modern Law Review C2020 The Moder n LawReview Limited.
(2020) 83(4) MLR 861–876
To continue reading
Request your trial