Decision by European Court of Justice on Joint Data Controllership in line with GDPR
The Court of Justice of European Union (“ECJ”) has ruled on July 29, 2019 that the website owners who place social media plugins on their websites may be considered as joint data controllership along with social media companies in line with the respective articles of General Data Protection Regulation (“GDPR”).
Such case was brought before the ECJ by District Supreme Court of Dusseldorf and upon the examination by ECJ, it was decided that the Germany based online clothing retailer company titled Fashion ID and Facebook must be both held as joint data controllers since such plugin by Facebook was placed on the website of Fashion ID.
The technical examination ordered by ECJ proved that Facebook’s plugin collected the personal data of website visitors regardless of the visitors not having a Facebook account or not even clicking on such plugin. It has been stated in the decision by the ECJ that the rate of appearance of Fashion ID products on Facebook platforms increases in direct proportion to the clicks and that the personal data transferred to Facebook is used for Facebook’s commercial purposes.
As a result of the evaluation made in the light of the above information, ECJ has decided that only one of the parties cannot be considered as sole data controller and both parties should be considered as data controller jointly, as they determine the purposes and means of personal data processing within the framework of this process. ECJ further declared that website owners who have the title of joint data controllers should inform their users during or before the collection of their personal data and in cases where the data processing is not based on any legal reason, the explicit consent of data subjects should be obtained before the processing starts.
It is possible to foresee that the decision will have serious consequences not only for Facebook but also for all social media applications and especially for companies that have implemented online advertising applications. Companies subject to GDPR have to amend their current contracts as a result of the joint data controllership status and determine the duties and responsibilities of the parties in line with ECJ’s such decision.
Even if the results of the decision are observed and understood correctly by joint data controllers, the methods and means for the use of these rights should be clearly communicated to the data subjects in order to not to cause confusion in terms of how and against whom the data subjects can exercise their rights under the GDPR.
On a separate note, as per Article 26/2 of GDPR, the legal partnership between joint data controllers and their positions and responsibilities must be clearly provided to data subjects. Data subjects can claim their rights granted to them pursuant to respective articles of GDPR towards any of the joint data controllers.
With regards to the situation in Turkey, joint data controllership concept has not been stipulated within Personal Data Protection Law numbered 6698 (the “PDPL”). Therefore, it is not convenient to possible application of such decision within Turkish laws. However, given that very recently Turkish Grand National Assembly recently voted in the favor of 11th Development Plan which stipulated that Turkish privacy laws should be reviewed to become in parallel with GDPR, we might expect such positions and responsibilities such as joint data controllership may form in near future. Even in such case, it is difficult to foresee the applicability of joint data controllership within Turkish laws in advance.