Protection of personal data

The operator of a website embedding a third-party plug-in, such as the Facebook ‘Like’ button, which causes the collection and transmission of the users’ personal data, is jointly responsible with Facebook for that stage of the data processing, Advocate General (AG) Michal Bobek has recently opined.

EU law secures the right of every individual to protect personal data concerning him or her and to ensure that such data is only processed lawfully by any person, be it natural or legal, who is in possession of such data. The General Data Protection Regulation (GDPR) which has since last May replaced the data protection directive, lays down a robust legal framework in order to ensure that EU citizens’ rights in this respect are safeguarded to the utmost extent.

The facts of this case were briefly as follows. Fashion ID is a German online retailer which sells fashion items. It embedded a plug-in on its website: Facebook’s ‘Like’ button. This means that when a user lands on Fashion ID’s website, information about that user’s IP address and browser string is transferred to Facebook. Such transfer occurs automatically when Fashion ID’s website has loaded, irrespective of whether the...