Facebook’s “Like” button makes third-party websites responsible for processing people’s data under the European Union’s privacy rules, according to the EU’s top court. The EU Court of Justice weighed in on a dispute after an online fashion retailer was accused of violating EU law by embedding a Like plugin, which a local consumer association said allowed the social media company to collect data on the site’s users. The decision came on the same day the so-called Snooper’s Charter, which allows the UK government to access data from emails and mobile phones, survived a court challenge. Regarding social plugins, the EU court ruled the owner of a website can be held jointly responsible for “the collection and transmission to Facebook of the personal data of visitors to its website”, the Luxembourg-based court said in a ruling on Monday. “By contrast, that operator is not, in principle, a controller in respect of the subsequent processing of those data carried out by Facebook alone.” The decision can’t be appealed. The case has been closely watched by privacy lawyers who say many companies are unaware of the potential risks of being held jointly liable with tech giants such as Facebook for data they share with them by embedding a social plugin on their website. Belgium’s data protection regulator said last year a ruling making websites jointly liable could have “serious repercussions” for website operators. The case dates back to before the EU enacted much stricter privacy rules with its General Data Protection Regulation, or GDPR. Still, the concept of two companies being seen as joint controllers for data protection reasons, remains relevant in the new rules, said Tom De Cordier, a technology and data protection lawyer at CMS DeBacker in Brussels. He said there’s a high likelihood that big organisations use such technology that tracks users’ data in some form on their websites. “The impact will be that if something goes wrong on the data collection side, you may be on the hook as much as Facebook is,” he said. “If the court takes a fairly broad interpretation of the concept of joint controllership, the risk exposure for companies becomes much bigger,” said Mr De Cordier before the ruling was known. “The level of awareness of this risk is still very low.” Seperately, a pair of UK judges dismissed the Snooper’s Charter lawsuit on Monday, saying they weren’t persuaded that the legislation is incompatible with European Union rules. Judge Rabinder Singh said the 2016 Investigatory Powers Act included several “safeguards against the possible abuse of power". Liberty, a civil rights group, said in the lawsuit that the law breaches citizens’ rights to privacy and free expression. The case centred on UK rules that allow the state to store “vast data sets” taken from electronic devices that mostly contain “information of no relevance to national security”, according to the campaign group. Megan Goulding, an attorney for Liberty, said the judgment “allows the government to continue to spy on every one of us, violating our rights to privacy and free expression”. The group will appeal the ruling, she said. The government said the powers are “of critical importance” to protect the public from terrorism, hostile state activity and serious and organized crime, and they “strike an appropriate balance between security and individual privacy,” according to its filings for the trial. The Home Office declined to immediately comment after the ruling.
