In its decision in case C-394/23 of 9 January 2025, the ECJ dealt with the requirement of necessity and its relationship to data minimization. According to the court, controllers must consider whether the intended purpose cannot be achieved in a comparable way by other means. This considerably limits the flexibility in designing business processes.
Background
The ECJ's decision was based on a request for a preliminary ruling from the French Conseil d'État (Council of State). The court wanted to know whether a controller may take into account “general practice in business, private and official communication” when assessing “necessity” within the meaning of Art. 6 (1) (b) and (f) GDPR, or whether the principle of data minimization precludes this. Furthermore, the court wanted to know whether a data subject's right to object under Art. 21(1) GDPR should be taken into account in the context of necessity.
In the specific case, the French state railway SNCF had marked the “salutation” as a mandatory field when purchasing tickets online. After the Association Mousse complained to the French data protection supervisory authority Commission nationale de l'informatique et des libertés (CNIL) about this practice, the CNIL rejected the complaint as unfounded, which Mousse challenged in court.
The CNIL had justified its decision, inter alia, on the grounds that the contested data collection was necessary for the performance of the relevant contract for the provision of transport services. This processing was also compatible with the principle of data minimization, since the personalized address of customers using their title was in line with general practice for communication in France.
The decision of the ECJ
The ECJ sees no necessity for the specific purposes in the processing of the title in the specific case. Customs and social conventions are not to be taken into account when assessing necessity.
As in the past, the ECJ interprets the criterion of necessity narrowly in the context of both the processing of data for the purpose of fulfilling a contract (Art. 6 (1) (b) GDPR) and in the context of processing based on a legitimate interest (Art. 6 (1) (f) GDPR). Necessity must be assessed together with the principle of data minimization (Art. 5 (1) (c) GDPR). In the opinion of the ECJ, the necessity criterion must be fulfilled for each service to be provided separately. This means that if the service owed consists of several separable services, data processing based on Art. 6 (1) (b) GDPR must be essential for all services provided. In the opinion of the ECJ, common practice or usage is generally irrelevant for the assessment of necessity. In the context of a legitimate interest, the controller must therefore check whether the intended goal cannot be achieved by a possibly fundamentally different (but more data-efficient) data processing that achieves the goal intended by the custom or practice (here, inclusion in the address of customers) in a different way. The fact that data subjects have a right to object to the processing under Art. 6 (1) (f) GDPR is not relevant to the assessment of necessity.
Practical recommendation
Companies, as data controllers, must take into account and critically examine any further clarification of the ECJ's case law with regard to the necessity of data processing when designing data-processing products and services as part of Privacy by Design: the usefulness of data for a specific purpose alone is not sufficient to justify lawful data processing. Rather, it is necessary to carefully examine which data-minimizing alternatives are possible, even at the design stage, outside of the specific data processing. This also applies in the context of data processing based on a legitimate interest. General practices and customs can only be taken into account in the context of the balancing of interests, but not when determining which data is required for the processing.