Who’s in control? (wonkish)

Bit of a technical one for the privacy nerds here. There’s an interesting update from the ECJ:

The Advocate General proposes to rule that under the Data-Protection-Directive the operator of a website who has embedded on its website a third-party plugin (such as the Facebook Like button), which causes the collection and transmission of the user’s personal data, shall be considered to be a joint controller, along with such third party (here Facebook Ireland). However, that controller’s (joint) responsibility should be limited to those operations for which it effectively co-decides on the means and purposes of the processing of the personal data.


How entirely expected.

Wait. What?

The interesting point here isn’t that the website owner is a controller – that was always obvious to anyone with a brain. It’s that the third party must be a controller. A lot of the tracking cookie and analytics plug-in types like to paint themselves as processors. This will stop that, and will bring them inside the fold of GDPR transparency requirements. Many of them are also based outside the EEA, which makes the use of the plug-in an international transfer.

You might want to have another look at the EULAs, contracts and other data-sharing agreements you have for every plug-in, cookie, tracking service, lead identification service and so on and so forth that you have on your website. 

And if you run one of those services, you should probably move reviewing your privacy and compliance provision to the top of your to-do list.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.