Plugins and POPI: A Critical Discussion into the Legal Implications of Social Plugins and the Protection of Personal Information
DOI:
https://doi.org/10.17159/1727-3781/2023/v26i0a15758Keywords:
POPI, social plugins, Directive 95/46/EC, GDPR, internet trackers, joint responsible parties, legitimate interests, consent, processing of personal informationAbstract
Social plugins are one of the many trackers used by companies with an online presence. However, under the Protection of Personal Information Act 4 of 2013 (POPI), these trackers have certain legal consequences for internet users. The main reason for this is that trackers tend to process personal information without informing internet users that their data are being collected, the reason for the collection or processing thereof, or who the responsible parties are that are collecting and processing the personal information. The article looks at these issues, amongst others, in the light of a 2019 judgment from the Court of Justice of the European Union or CJEU, namely, Case C-40/17 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW e.V. EU:C:2019:629. Due to the fact that it has had data protection legislation for much longer than other countries or legal jurisdictions, including South Africa, the European Union (the EU) has a substantial body of case law interpreting the data protection legislation of the EU itself as well as that of the individual member states. One of the main instruments used as guidance by the drafters of POPI was Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (hereafter Directive 95/46). Directive 95/46 was previously considered the gold standard, before Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation) (hereafter the GDPR) was enacted and Directive 95/46/EC was finally repealed. Since Directive 95/46 was one of the main guiding documents used in drafting POPI, one may expect that the South African courts may turn to the EU and consider how the CJEU has interpreted the similar provisions contained in Directive 95/46, especially since there is very little South African jurisprudence available on POPI. The four main issues under discussion are: who, other than the internet users, has the locus standi to bring an application in terms of POPI? Second, what are the responsibilities of joint responsible parties towards internet users? Third, where there are joint responsible parties, do both need a legitimate interest to process personal information? Lastly, who will be responsible for obtaining the necessary consent to process the personal data?
Downloads
References
Bibliography
Literature
Aladeokin A, Zavarsky P and Memon N "Analysis and Compliance Evaluation of Cookies-Setting Websites with Privacy Protection Laws" in Twelfth International Conference on Digital Information Management (ICDIM) (12-14 September 2017 Fukuoka) 121-126
Coetzee SA "A Legal Perspective on Social Media Use and Employment: Lessons for South African Educators" 2019 PELJ 1-36 http://dx.doi.org/10.17159/1727-3781/2019/v22i0a5778
De Conca S "Between a Rock and a Hard Place: Owners of Smart Speakers and Joint Control" 2020 SCRIPTed: Journal of Law, Technology and Society 238-268
De Stadler E et al Over-Thinking the Protection of Personal Information Act: The Last POPIA Book You Will Ever Need (Juta Cape Town 2021)
Docksey C and Hijmans H "The Court of Justice as a Key Player in Privacy and Data Protection: An Overview of Recent Trends in Case Law at the Start of a New Era of Data Protection Law" 2019 EDPL 300-316
Duina F "Explaining Legal Implementation in the European Union" 1997 Int'l J Soc L 155-179
Ermakova T et al "Web Tracking: A Literature Review on the State of Research" in Proceedings of the 51st Hawaii International Conference on System Sciences (3-6 January 2018 Waikoloa Village) 4732-4741
Gerlitz C and Helmond A "The Like Economy: Social Buttons and the Data-Intensive Web" 2013 New Media and Society 1348-1365
Globocnik J "On Joint Controllership for Social Plugins and Other Third-Party Content: A Case Note on the CJEU Decision in Fashion ID" 2019 IIC 1033-1044
Karjiker S "Hyperlinking and Copyright" 2022 SALJ 181-204
Larson E "Tracking Criminals with Internet Protocol Addresses: Is Law Enforcement Correctly Identifying Perpetrators?" 2017 NC J L & Tech 316-358
Lindroos-Hovinheimo S "Who Controls our Data? The Legal Reasoning of the European Court of Justice in Wirtschaftsakademie Schlewig-Holstein and Tietosuojavaltuutettu v Jehovan todistajat" 2019 Info & Comm Tech L 225-238
Röttgen C "Like or Dislike—Web Tracking" in Hoeren T and Kolany-Raiser B (eds) Big Data in Context: Legal, Social and Technological Insights (Springer Cham 2018) 73-80
Strauß S and Nentwich M "Social Network Sites, Privacy and the Blurring Boundary between Public and Private Spaces" 2013 Science and Public Policy 724-732
Srinivasan D "The Antitrust Case against Facebook: A Monopolist's Journey towards Pervasive Surveillance in Spite of Consumers' Preference for Privacy" 2019 Berkeley Bus LJ 39-101
Strauß S and Nentwich M "Social Network Sites, Privacy and the Blurring Boundary between Public and Private Spaces" 2013 Science and Public Policy 724-732
Truyens M "No more Cookies for Unregistered Facebook Users in Belgium: Belgian Data Protection Legislation Applies to Facebook" 2016 EDPL 135-140
Veale M and Zuiderveen Borgesius F "Adtech and Real-Time Bidding under European Data Protection Law" 2022 German Law Journal 226-256
Wiedemann K "The ECJ's Decision in 'Planet49' (Case C-673/17): A Cookie Monster or Much Ado about Nothing?" 2020 IIC 543-553
Zalnieriute M and Churches G "When a 'Like' is not a 'Like': A New Fragmented Approach to Data Controllership" 2020 MLR 861-876
Case law
European Union
Breyer v Bundesrepublik Deutschland (C‑582/14) EU:C:2016:779
Bundesverband der Verbraucherzentralen und Verbraucherverbände - VerbraucherzentraleBundesverband eV v Planet 49 (C-673/17) EU:C:2019:801
Data Protection Commission v Facebook Ireland and Maximillian Schrems (C-311/18) EU:C:2020:559
Facebook Ireland Ltd v Gegevensbeschermingsautoriteit (C-645/19) EU:C:2021:483
Fashion ID GmbH and Co KG v Verbraucherzentrale NRW e.V. (C-40/17) EU:C:2019:629
Google Spain SL, Google LLC v Agencia Española de Protección de Datos (AEPD), Mario Costeja González (C-131/12) EU:C:2014:317
Institut Professionnel des Agents Immobiliers (IPI) v Geoffrey Englebert (C-473/12) EU:C:2009:293
Lindqvist (C-101/01) EU:C:2003:596
Meta Platforms Ireland Ltd v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (Case C- 319/20) EU:C:2022:322
Rechnungshof v Österreichischer Rundfunk and Christa Neukomm and Joseph Lauermann v Österreichischer Rundfunk (C-465/00, C-138/01 & C-139/01) EU:C:2003:294
Schrems v Data Protection Commissioner (C-362/14) EU:C:2015:650
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (C-210/16) EU:C:2018:388
Valsts Policijas Rīgas Reģiona Pārvaldes Kārtības Policijas Pārvalde v Rīgas Pašvaldības SIA 'Rīgas Satiksme' (Case C-13/16) EU:C:2017:336
South Africa
H v W 2013 2 SA 530 (GSJ)
Isparta v Richter 2013 6 SA 529 (GNP)
Smuts v Member of the Executive Council: Eastern Cape Department of Economic Development Environmental Affairs and Tourism (1199/2021) [2022] ZAECMKHC 42 (26 July 2022)
United States of America
Largent v Reed and Pena (Case No 2009-1823) 39th Judicial District of Pennsylvania, Franklin County (7 November 2011)
Legislation
Germany
Gesetz gegen den Unlauteren Wettbewerb (1909) (Law against Unfair Competition)
South Africa
Constitution of the Republic of South Africa, 1996
Promotion of Access to Information Act 2 of 2000
Protection of Personal Information Act 4 of 2013
Government publications
Proc 21 in GG 43461 of 22 June 2020
International instruments
Charter of Fundamental Rights of the European Union (2000)
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (1995)
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (2002) (Directive on Privacy and Electronic Communications)
European Convention for the Protection of Human Rights and Fundamental Freedoms (1950) (as amended by Protocol Nos 11 and 14, and Supplemented by Protocols Nos 1, 4, 6, 7, 12, 13 and 16)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (2016) (General Data Protection Regulation)
Internet sources
Acar G et al 2015 Facebook Tracking through Social Plug-ins: Technical Report Prepared for the Belgian Privacy Commission https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf accessed 10 October 2022
Kelly MJ 2019 What is a Web Tracker? Mozilla Explains https://blog.mozilla.org/en/internet-culture/mozilla-explains/what-is-a-web-tracker/ accessed 16 November 2022
Published
Issue
Section
License
Copyright (c) 2024 Helga Schultz, Warren Freedman
This work is licensed under a Creative Commons Attribution 4.0 International License.