On Joint Controllership for Social Plugins and Other Third-Party Content – a Case Note on the CJEU Decision in Fashion ID

Directive 95/46/EC, Arts. 2(d) and (h), 7(a) and (f), 10
  • Jure GlobocnikEmail author
Case Note European Union


In its decision in Fashion ID, the Court of Justice of the European Union (CJEU) assessed the responsibilities pertaining to the processing of personal data through a Facebook “Like” button embedded in a third-party website. The decision, which was not directed at Facebook Ireland, but at a comparatively small German online clothing retailer embedding the social plugin, reaffirms the preference of (German) authorities and consumer protection associations to regulate Facebook indirectly, i.e. through decisions directed against Facebook’s partners, which is seemingly the more feasible way. In the decision, the CJEU concluded that the website operator, and Facebook Ireland as the plugin provider are jointly responsible merely for the collection of personal data and its disclosure by transmission to Facebook Ireland, whereas the subsequent data processing operations fall under the sole responsibility of Facebook Ireland. This case note argues that this delineation does not sufficiently consider the technical reality behind such plugins. Further, it argues that the CJEU seems to have relied predominantly on the criterion of decisive (factual) influence on data processing, thereby departing from its previous case law. The CJEU further ruled that should joint data processing be based on webpage visitors’ consent, the latter has to be collected by the webpage operator. This solution creates a significant additional administrative burden for the involved companies. According to this case note, the decision on such a technical matter should rather have been left to the disposition of the companies.


Data protection Facebook “Like” button Social plugins Joint controllership Legal grounds for data processing Legal standing of consumer associations 



  1. Botta M, Wiedemann K (2019) The interaction of EU competition, consumer, and data protection law in the digital economy: the regulatory dilemma in the Facebook odyssey. Antitrust Bull 64:428–446CrossRefGoogle Scholar
  2. Briegleb V (2014) Datenschutz und Social Media: Der c’t Shariff ist im Einsatz. Accessed 7 Aug 2019
  3. Buchner B, Kühling J (2018) Art. 7 DS-GVO. In: Kühling J, Buchner B (eds) Datenschutz-Grundverordnung/BDSG, 2nd edn. C.H.Beck, Munich, pp 285–308Google Scholar
  4. Dannapel D (2019) EuGH-Entscheidung zur gemeinsamen Verantwortlichkeit bei Datenverarbeitung durch Webseitenplugins. Accessed 7 Aug 2019
  5. Dünkel H (2019) Kollektiver Rechtsschutz bei Datenschutzrechtsverstößen – Durchsetzung der DSGVO durch deutsche Verbraucherverbände. DuD 8:483–487CrossRefGoogle Scholar
  6. Edwards L, Finck M, Veale M, Zingales N (2019) Data subjects as data controllers: a fashion(able) concept? Accessed 7 Aug 2019
  7. Google (2019) Google fonts. Accessed 7 Aug 2019
  8. Hanff A (2018) Case C-210/16 and joint liability for third party processing activities. Accessed 7 Aug 2019
  9. Hanloser S (2019) EuGH: Fashion ID: Facebook Like Button: Keine gemeinsame Verantwortlichkeit für Datenspeicherung und weitere Verarbeitung durch Facebook. Accessed 7 Aug 2019
  10. Kathuria V, Globocnik J (2019) Exclusionary conduct in data-driven markets: limitations of data sharing remedy. Accessed 7 Aug 2019
  11. Kremer S (2019) EUGH entscheidet Fashion ID: Einwilligung für Social Plugins und Tracking erforderlich. Accessed 7 Aug 2019
  12. Mahieu R, van Hoboken J, Asghari H (2019) Responsibility for data protection in a networked world: on the question of the controller, “effective and complete protection” and its application to data access rights in Europe. JIPITEC 10:85–105Google Scholar
  13. Schmidt J (2011) 2 Klicks für mehr Datenschutz. Accessed 7 Aug 2019
  14. State Commissioner for the Protection of Data and Freedom of Information Rhineland-Palatinate (2019) “Gefällt mir”– der EuGH sieht Webseiten-Betreiber und Facebook als gemeinsam verantwortlich. Accessed 7 Aug 2019
  15. Tene O (2013) Privacy law’s midlife crisis: a critical assessment of the second wave of global privacy laws. Ohio State Law J 74:1217–1261Google Scholar
  16. Webdesign Journal (2019) Google Fonts – Die Einbindung in 3 einfachen Schritten. Accessed 7 Aug 2019
  17. Ziegenhorn G, Fokken M (2019) EuGH: Reichweite der datenschutzrechtlichen Verantwortlichkeit für Website-Betreiber. Accessed 7 Aug 2019

Copyright information

© Max Planck Institute for Innovation and Competition, Munich 2019

Authors and Affiliations

  1. 1.LL.M. Eur. (Munich); Junior Research FellowMax Planck Institute for Innovation and CompetitionMunichGermany

Personalised recommendations