New Schrems ruling by the ECJ: exceptional interpretation of Article 9 data

Data protection activist Maximilian Schrems has sued Facebook for processing his sexual orientation.
Categories:
,

May social Networks how Facebook uses all personal data for targeted Advertising process? This was one of the questions that the European Court of Justice (ECJ) had to clarify in a preliminary ruling procedure (C-446/21). In the main proceedings, the Austrian data protection activist Maximilian Schrems filed a lawsuit against Meta.

Maximilian Schrems sues Meta

Meta Platforms Ireland operates the social network Facebook, which was free of charge until November 5, 2023. Since November 6, 2023, users have had to pay either personalized Advertising or take out a paid subscription. The platform also collects user data outside the network, including through Cookiessocial plugins and pixels.

Maximilian Schrems accuses Meta Platforms Ireland of processing his personal data, in particular sensitive data pursuant to Art. 9 GDPRwithout his explicit Consent to have processed. This sensitive data includes information about his political views and sexual orientation, which was obtained by analyzing his activities on and off Facebook. 

It is apparent from the order for reference that there are plug-ins on websites of political parties and on websites aimed at a homosexual audience, which are used by Mr. Schrems were visited. Due to these "plugins", Facebook was able to track the behavior of Schrems on the Internet, which has triggered the collection of certain sensitive personal data. Schrems subsequently received regular Advertisingaimed at a homosexual audience. He also received invitations to relevant events, even though he had not previously been interested in these events and did not know the venue. 

Meta Platforms Ireland argued that the Processing of the personal data is based on the user contract between the company and the users and is therefore in accordance with Art. 6 (1) (b) GDPR. GDPR is necessary for the performance of this contract.

Processing of sexual orientation authorized by public disclosure?

The ECJ had to clarify the interpretation of several articles of the General Data Protection Regulation, which the Supreme Court (Austria) had referred for a preliminary ruling. The proceedings focused in particular on Article 5(1)(b) and (c) (Earmarking and Data minimization), Art. 6 (1) (a) and (b) (lawfulness of the processing). Processing) and Art. 9 (1) and (2) (e) (special categories of personal data).

According to the findings of the Supreme Court, the Affected parties Maximilian Schrems his sexual orientation publicly. In particular, he referred to his sexual orientation during a panel discussion in Vienna on February 12, 2019, at the invitation of the European Commission Representation in Austria, in order to Processing of personal data by Facebook, including the Processing of its own data. Maximilian Schrems took the opportunity to explain that he had never indicated this aspect of his private life on his Facebook profile.

The Supreme Court therefore posed the fundamental question of whether the Affected parties the sensitive personal data obviously made public and thus their Processing pursuant to Art. 9 para. 2 letter e GDPR have approved.

Supreme Court (Austria) refers questions of interpretation to the ECJ for a preliminary ruling

The Austrian Supreme Court therefore decided to stay the proceedings and refer the following questions to the ECJ for a preliminary ruling:

  1. If the provisions of Art. 6 para. 1 letters a and b GDPR must be interpreted as meaning that the legality of contractual provisions in general terms of use of platform contracts such as that at issue in the main proceedings (in particular, contractual provisions such as: 'Instead of paying [for this service] ... by using the Facebook products to which these Terms of Use apply, you agree that we may show you advertisements ... We will use your personal data ... to show you advertisements that are more relevant to you'), which are not in conformity with the law. Processing of personal data for aggregation and analysis of data for the purpose of personalized Advertising in accordance with the requirements of Art. 6 (1) (a) in conjunction with Art. 7 GDPR which cannot be assessed by invoking Article 6(1)(b) of the GDPR. GDPR can be replaced?
  2. Is Art. 5 para. 1 lit. c GDPR (Data minimization) must be interpreted as meaning that all personal data held by a platform such as that at issue in the main proceedings (in particular by the data subject or by Third on and off the platform), without restriction by time or type of data for the purposes of targeted Advertising can be aggregated, analyzed and processed?
  3. Is Art. 9 para. 1 GDPR be interpreted as referring to the Processing of data that allows targeted filtering of special categories of personal data such as political opinion or sexual orientation (e.g. for Advertising) is permitted, even if the Responsible persons does not differentiate between these data?
  4. Is Article 5(1)(b) in conjunction with Article 9(2)(e) GDPR that a statement about one's own sexual orientation for the purposes of a panel discussion is to be interpreted as meaning that the Processing of other sexual orientation data for the purposes of aggregating and analyzing data for the purpose of personalized Advertising allowed?


Reading tip: ECJ ruling on GDPR fines - what discretion does a data protection authority have?

Decision of the ECJ

  1. Data minimization and Earmarking (Art. 5 para. 1 lit. c GDPR):
    In its ruling, the ECJ made it clear that the principle of Data minimization prevents unlimited storage and analysis of all personal data of a Platform, both within and outside the Platform. Meta Platforms Ireland may not use all available data without clear Earmarking and process it for advertising purposes for a limited period of time. The principle of proportionality plays a decisive role here and each Processing must be limited to what is absolutely necessary.
  1. Processing sensitive data (Art. 9 GDPR):
    Art. 9 GDPR generally prohibits the Processing special categories of personal data, unless the processing affected Person has expressly declared their Consent or the data was obviously made public by the data subject. In its judgment, the ECJ explains: "Art. 9 para. 2 lit. e GDPR must be interpreted as meaning that the fact that a person has expressed his or her sexual orientation in a publicly accessible panel discussion does not allow the operator of an online social networking platform to process other data relating to that person's sexual orientation which it may have obtained outside that platform from third-party applications and websites with a view to aggregating and analyzing them in order to provide that person with personalized information. Advertising to offer."

The decision underlines the strict requirements for the legality of the Processing personal data and the central importance of the Consent. The case has far-reaching implications for the business models of data-driven online platforms and their obligation to comprehensively protect users' data protection rights.

Source: Judgment of the European Court of Justice of October 4, 2024 (C-446/21)

Contact us
Tags:
,
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts