In today’s data-driven world, data protection is the rising trend in Europe as a consequence of General Data Protection Regulation’s entry into force on 25 May 2018 in the European Union. With this Regulation the scope of responsibility of data controllers has been broadened and the extent of fines have been increased up to 4% of the total worldwide annual turnover or €20 Million of the breaching data controller. Although not as high as in Europe, Turkey’s Law On the Protection of Personal Data which was substantially adopted from the European data protection legislation has introduced fines up to 1,000,000 TL.

Data controllers are obliged to inform “data subjects” on the GDPR policy of the data controller (i.e the purpose and extent of the personal data to be collected and processed) and obtain explicitly, freely given consent of them in advance. For those who are not familiar with the legal jargon of GDPR, the “data subject” is defined as any person whose personal data is being collected, held or processed; while the “data controller” is defined as a person, company, or other body that determines the purpose and means of personal data processing (this can be determined alone, or jointly with another person/company/body).

In very brief words, the essence of the legislation is that unless your personal data is required under certain legal obligations, your consent is required to be obtained by the data controller for data collection and processing.

According to an article called ‘‘Popular apps share data with Facebook without user consent’’[[1]](https://www.kesikli.com/popular-apps-and-websites-are-in-a-potential-breach-of-gdpr/#_ftn1) of Financial Times, some of the most popular apps for Android smartphones such as Trip Advisor, Skyscanner and MyFitnessPal, are transmitting data automatically to Facebook the second that they are opened on a phone without the consent of the users. Such transmissions of the apps are alleged to breach the GDPR due to the lack of an explicit and informed consent of the relevant users. As it is obvious, most of the apps are for free and they make money from data-sharing and advertising.

In fact, not only the popular apps are in potential of breach GDPR but also the websites that transfer data to Facebook are in potential breach of European data protection legislation.

In a recent investigation, Advocate General Bobek (Advocate General at the EU Court of Justice) has interpreted whether a website breaches the data protection legislation by transferring data automatically to Facebook and has assessed the controller concept in terms of liability in his newly published Opinion dated 19 December 2018 in Case C‑40/17.

In Case C-40/17, Vernraucherzentrale NRW e.V, a German consumer protection association, brought legal proceedings for an injunction against Fashion ID GmbH&Co. KG (“Fashion ID”) on the grounds that Fashion ID embedded a plug-in (Facebook’s Like Button) its website which is alleged to be a breach of data protection legislation. Facebook Ireland Limited is the joined party by reason of the transfer that occurs automatically when Fashion ID’s website has loaded irrespective of whether the user has clicked on the Like buton and whether or not he has a Facebook account.

In this case, the Oberlandesgericht Düsseldorf (HigherRegional Court, Düsseldorf, Germany) sought the interpretation of several provisions of the former Data-Protection-Directive of 1995 (Directive 95/46, which remains applicable to this case, but has been replaced by the new General Data Protection Regulation of 2016 with effect from 25 May 2018).

Some of the questions addressed are the following:

• Whether Fashion ID is classified as a ‘controller’ with regard to the data processing taking place, and if so how exactly are the individual obligations imposed by Directive 95/46 to be met in such a scenario?
• Whose legitimate interests are to be considered under the balancing exercise required by Article 7(f) of Directive 95/46 ?
• Whether Fashion ID has a duty to inform data subjects about the data processing, and whether Fashion ID must collect the informed consent of the data subjects for the same?

In summary, the Advocate General’s opinion is that:

• Fashion ID and Facebook Ireland are joint controllers, while the liability of each of them is limited to the specific stage of data processing.
• The balancing exercise provided for in Article 7(f) of Directive 95/46 requires the legitimate interest of both the Defendant and Facebook Ireland to be taken into account.
• The data subject’s informed consent for a given data processing stage must be obtained by Fashion ID, and the Defendant also has the obligation to provide information to the data subject before obtaining such consent.

While a decision has not yet been rendered on the aforementioned matter, in the light of the Advocate General’s opinion, apps and websites are more likely to be watched closely in consideration with the strict rules of the European data protection legislation. As it is clear that being a data controller carries with it serious legal responsibilities, all the companies and organizations should be well informed to be quite clear if these responsibilities apply to them or their organisations.

For those organizations operating internationally, the issue of compliance becomes more sensitive as numerous data protection acts and supervisory authorities will be involved in addition to the local legislations.

Kesikli Law Firm is ready to assist your business, together with its technical / technological cooperation partners, to avoid or minimize the risk of non-compliance and the resultant fines.

@Ömer Kesikli

(1) (https://www.kesikli.com/popular-apps-and-websites-are-in-a-potential-breach-of-gdpr/#_ftnref1) Murgia, Madhumita, ‘‘Popular apps share data with Facebook without user consent’’ https://www.ft.com/content/62f74704-0abf-11e9-9fe8-acdb36967cfc?emailId=5c2902bc059a650004f0d452&segmentId=3d08be62-315f-7330-5bbd-af33dc531acb