New Schrems ruling by the ECJ: exceptional interpretation of Article 9 data

Data protection activist Maximilian Schrems has sued Facebook for processing his sexual orientation.
Categories:

Are social networks such as Facebook allowed to process all personal data for targeted advertising? This was one of the questions that the European Court of Justice (ECJ) had to clarify in a preliminary ruling procedure (C-446/21). In the original proceedings, the Austrian data protection activist Maximilian Schrems filed a lawsuit against Meta.

Maximilian Schrems sues Meta

Meta Platforms Ireland operates the Facebook social network, which was free of charge until November 5, 2023. Since 6 November 2023, users must either accept personalized advertising or take out a paid subscription. The platform also collects user data outside of the network, including through cookies, social plugins and pixels.

Maximilian Schrems accuses Meta Platforms Ireland of having processed his personal data, in particular sensitive data pursuant to Art. 9 GDPR, without his express consent. This sensitive data includes information about his political views and sexual orientation, which was obtained by analyzing his activities on and off Facebook. 

The order for reference shows that there are plugins on websites of political parties and on websites aimed at a homosexual audience that were visited by Mr. Schrems. These "plugins" enabled Facebook to track Schrems' behavior on the internet, which triggered the collection of certain sensitive personal data. Schrems subsequently received regular advertising aimed at a homosexual audience. He also received invitations to relevant events, even though he had not previously been interested in these events and did not know the venue. 

Meta Platforms Ireland argued that the processing of the personal data was based on the user contract between the company and the users and was therefore necessary for the performance of this contract pursuant to Art. 6 (1) (b) GDPR.

Processing of sexual orientation authorized by public disclosure?

The ECJ had to clarify the interpretation of several articles of the General Data Protection Regulation, which the Supreme Court (Austria) had referred for a preliminary ruling. The proceedings focused in particular on Article 5(1)(b) and (c) (purpose limitation and data minimization), Article 6(1)(a) and (b) (lawfulness of processing) and Article 9(1) and (2)(e) (special categories of personal data).

According to the findings of the Supreme Court, the person concerned, Maximilian Schrems, publicly communicates his sexual orientation. In particular, he referred to his sexual orientation during a panel discussion he attended in Vienna on 12 February 2019 at the invitation of the European Commission Representation in Austria in order to criticize the processing of personal data by Facebook, including the processing of his own data. However, Maximilian Schrems also stated on this occasion that he had never indicated this aspect of his private life in his Facebook profile.

The Supreme Court therefore posed the fundamental question of whether the data subject had obviously made the sensitive personal data public and thus authorized its processing in accordance with Art. 9 para. 2 letter e GDPR.

Supreme Court (Austria) refers questions of interpretation to the ECJ for a preliminary ruling

The Austrian Supreme Court therefore decided to stay the proceedings and refer the following questions to the ECJ for a preliminary ruling:

  1. Are the provisions of Article 6(1)(a) and (b) of the GDPR to be interpreted as meaning that the lawfulness of contractual provisions in general terms of use of platform contracts such as the one in the main proceedings (in particular contractual provisions such as: "Instead of paying [for this service] ... by using the Facebook products to which these Terms of Use apply, you agree that we may show you advertisements ... We use your personal data ... to show you advertisements that are more relevant to you.") that involve the processing of personal data for aggregation and analysis of data for the purpose of personalized advertising are to be assessed in accordance with the requirements of Art. 6(1)(a) in conjunction with Art. 7 GDPR, which cannot be replaced by invoking Art. 6(1)(b) GDPR?
  2. Is Art. 5 para. 1 lit. (c) GDPR (data minimization) be interpreted as meaning that all personal data held by a platform such as that in the main proceedings (in particular by the data subject or by third parties on and outside the platform) may be aggregated, analysed and processed for the purposes of targeted advertising without restriction as to the time or nature of the data?
  3. Is Article 9(1) GDPR to be interpreted as applying to the processing of data that allows targeted filtering of special categories of personal data such as political opinion or sexual orientation (e.g. for advertising), even if the controller does not differentiate between these data?
  4. Is Article 5(1)(b) in conjunction with Article 9(2)(e) GDPR to be interpreted as meaning that a statement about one's own sexual orientation for the purposes of a panel discussion permits the processing of other data relating to sexual orientation for the purposes of aggregating and analyzing data for the purposes of personalized advertising?


Reading tip:
ECJ ruling on GDPR fines - what discretion does a data protection authority have?

Decision of the ECJ

  1. Data minimization and purpose limitation (Art. 5 para. 1 lit. c GDPR):
    In its ruling, the ECJ clarified that the principle of data minimization precludes the unlimited storage and analysis of all personal data of a platform, both within and outside the platform. Meta Platforms Ireland may not aggregate and process all available data for advertising purposes without a clear purpose limitation and time limit. The principle of proportionality plays a decisive role here and any processing must be limited to what is absolutely necessary.
  1. Processing of sensitive data (Art. 9 GDPR):
    Art. 9 GDPR generally prohibits the processing of special categories of personal data unless the data subject has expressly given their consent or the data has been manifestly made public by the data subject. In its ruling, the ECJ states: "Article 9(2)(e) GDPR must be interpreted as meaning that the fact that a person has expressed his or her sexual orientation in a publicly accessible panel discussion does not allow the operator of an online platform for a social network to process other data relating to that person's sexual orientation which it may have obtained outside that platform from third-party applications and websites with a view to aggregating and analysing it in order to offer personalized advertising to that person."

The decision underlines the strict requirements for the lawfulness of processing personal data and the central importance of consent. The case has far-reaching implications for the business models of data-driven online platforms and their obligation to comprehensively protect the data protection rights of users.

Source: Judgment of the European Court of Justice of October 4, 2024 (C-446/21)

Tags:
Share this post :
en_USEnglish