On 4 October 2024, the Court of Justice of the European Union handed down yet another judgment involving privacy campaigner Max Schrems (C-446/21). The CJEU provided important clarification on the scope and limitations of the data minimisation principle and considered questions around the use of special data to target advertising – both in terms of how that data is sourced and how consent is obtained. The judgment is particularly relevant to operators of social network platforms and businesses that rely on extensive data aggregation to target advertising.
Background
When the GDPR came into force, the defendant and data controller, Meta Platforms Ireland Limited (Meta), which operates Facebook, updated its terms of use and issued them to users for review and consent. Users were required to consent in order to maintain their accounts and the claimant, Maximilian Schrems (MS) duly consented to the updated terms.
Revenue and profit on a social network platform such as Facebook are generated to a considerable degree through targeted online advertising. Initially, Facebook processed personal data for targeted advertising based on legitimate interests, later changing to contractual necessity. As a result of CJEU judgments, in late 2023, Meta transitioned to operating a 'pay or consent' model in the EU which offers users a choice between a subscription, ad free model or consenting to targeted advertising and getting a free service. It now has plans to introduce a third option allowing for consent to limited tracking for advertising purposes.
Meta’s privacy and cookie policies show Meta collects personal data. Meta employs various tracking technologies, such as cookies and social plug-ins, to monitor user activities across its platforms and third-party sites.
At some point MS received advertisements on his feed from Meta regarding a certain politician and for products and events clearly targeted at the homosexual market. MS had not posted any sensitive data relating to his sexual orientation or his political views on his Facebook profile and had not given Meta permission to use information regarding his relationship status. However, in 2019, MS participated in a public panel during which he revealed his sexual orientation. This data is special category (sensitive) data under Article 9(1) GDPR which cannot be processed unless one of the exceptions to the prohibition on processing applies. Meta was found to have processed the data on MS's homosexuality based on the communications of his public outings in 2019 and not on information contained in his Facebook profile. In other words, Meta had used special data processed from sources outside Facebook to target ads on Facebook.
MS argued before the Austrian national court that the processing of his personal data by Meta violated the GDPR. In particular, he claimed that the conditions for valid consent were not met. Additionally, MS asserted that sensitive data had been processed without the required consent. He called on the court to prohibit Meta from using his data for personalised advertising or other purposes, especially when such data was obtained from third-party sources.
The CJEU's decision
The CJEU was asked by the referring Austrian court to clarify some key questions about how personal data can be processed under the GDPR. While two of the referred questions became irrelevant due to a previous ruling, the CJEU focused on two critical issues:
- Can online platforms process personal data for personalised advertising without strict time or data type limits? And does the principle of 'purpose limitation' prevent them from using sensitive data like sexual orientation for such purposes?
- Does publicly disclosing sensitive information, such as sexual orientation, during a public event allow platforms to process related data, including data from third-party sources, without breaching GDPR protections?
As a prelude, the CJEU outlined the steps for determining whether a person’s privacy rights have been violated. First, any data processing must follow the principles in Article 5 of the GDPR, such as ensuring the data collected is limited to what is truly necessary. Second, the processing must meet one of the legal conditions outlined in Article 6 GDPR. Finally, the rights of the individual, such as the right to access or delete their data (Articles 12–22 GDPR), must be respected.
In particular, the key principle of "data minimisation," requires that only data relevant and necessary for a specific purpose should be collected or stored. This principle directly impacts how organisations have to structure their data storage policies and their compliance measures. This also applies to how long data is kept. Platform operators must limit storage to the minimum time required for the stated purpose. This is because the longer the data is stored, the more serious the consequences for the interests and private lives of the persons concerned may be. If a social media company, for example, stores data indefinitely for targeted advertising, it will breach the minimisation principle. Similarly, storing excessive user data, including special data, without clear limits undermines privacy rights and breaches the GDPR.
The CJEU highlighted, to the detriment of Meta’s position, that Meta collects data not only from users' Facebook activity but also from third-party websites, treating all data the same regardless of its sensitivity and creating serious interference with individuals’ privacy rights under the EU Charter. This broad, unrestricted use of data for personalised advertising was found to be unjustified and disproportionate.
The CJEU also addressed the issue of processing sensitive data, such as data relating to sexual orientation and whether and under what circumstances aggregating and analysing the data for personalised advertising is GDPR-compliant. One of the exceptions to the prohibition on processing special data is where the individual has made the information public, as MS did during the 2019 panel discussion. However, the CJEU emphasised that this exception must be interpreted narrowly. Publicly sharing sensitive information does not grant platform operators like Meta unrestricted rights to process additional related data - particularly data obtained from third-party sources or other platforms - for personalised advertising.
The CJEU concluded that even though MS had disclosed his sexuality in public, Meta cannot use this as a blanket justification to process other related data. The rules around sensitive data must be interpreted strictly to protect individuals’ rights.
Key takeaways
In light of this ruling, online advertising businesses are advised to ensure GDPR compliance by adopting measures to limit data retention periods and implementing mechanisms for timely deletion of collected data. Transparency is crucial; organisations must ensure data subjects receive detailed information about processing purposes and legal bases, as mandated by Article 13 GDPR. They should also audit their data collection practices avoiding excessive data collection, introduce safeguards like pseudonymisation or anonymisation, provide employee training on GDPR principles, and maintain thorough records to demonstrate compliance during audits or inspections.
The CJEU's ruling emphasises that public disclosure of sensitive personal information, such as sexual orientation, does not equate to explicit consent for further processing of other related data of that person. This has significant implications for online advertising businesses as they must not assume that when a user shares sensitive information they can then freely process other information on the same sensitive topic for targeted advertising or other purposes. In other words, sharing a single piece of sensitive information does not constitute unlimited permission to process other related data. Businesses must obtain explicit, informed consent for processing special data and implement strict consent mechanisms where relying on consent, and ensure that any processing falls within one of the narrow exceptions outlined under Article 9 GDPR to the general prohibition on processing special data.