CJEU - C-394/23 Mousse: Difference between revisions

CJEU - C‑394/23 Mousse
Court:	CJEU
Jurisdiction:	European Union
Relevant Law:	Article 5(1)(c) GDPR Article 6(1)(b) GDPR Article 6(1)(f) GDPR
Decided:	09.01.2025
Parties:	Association Mousse CNIL
Case Number/Name:	C‑394/23 Mousse
European Case Law Identifier:	ECLI:EU:C:2025:2
Reference from:	CE (France) 452850
Language:	24 EU Languages
Original Source:	AG Opinion Judgement
Initial Contributor:	fb

The CJEU found that in light of the principle of data minimisation, the systematic and generalised processing of passengers’ titles ("Madame" / "Monsieur") is neither necessary for the performance of a contract nor for the legitimate interest of personalising commercial communication.

English Summary

Facts

Association Mousse lodged a complaint with the French DPA (CNIL) after a data subject purchased rail travel documents from SNCF Connect (the controller). The controller required customers to enter their title (Madame / Monsieur) when they purchased travel documents. The complaint argued that the controller should not collect this data or that, at the very least, it should offer customers additional options such as ‘neutral’ or ‘other.’

The controller argued that knowing the sex of the data subject permitted it to personalise communications in accordance with commonly accepted practices in commercial communications. It also stated that the processing permitted it to adapt the services it provided (such as providing access to women-only carriages on night trains).

On 23 March 2021, the CNIL found that the controller’s processing did not violate the GDPR. It found the processing lawful under Article 6(1)(b) GDPR, viewing it as necessary for the performance of the contract to supply transport services, and considered the processing consistent with the principle of data minimisation.

Association Mousse brought an action for annulment of the CNIL’s decision before the Conseil d’État. In addition to reiterating its legal basis and data minimisation challenges, it pointed out that the processing infringed the right to travel without disclosing one’s title, the right to respect for private life and freedom to freely define one’s gender expression. It also noted that in countries who recognize nonbinary civil statuses, the indication does not correspond to reality and may prove contrary to the principle of accuracy.

The Conseil d’État stayed the proceedings and referred two questions to the CJEU.

1. In assessing whether data collection is consistent with Article 5(1(c) GDPR and Articles 6(1)(b) and (f) GDPR, may account be taken of commonly accepted practices in civil, commercial and administrative communications (here, the collection of data relating to consumers’ titles)?
2. In assessing the ‘necessity’ of collection and processing of customer titles under Article 6(1)(f) GDPR, should account be taken of the fact that the customers may exercise their right to object under Article 21 GPDR?

Advocate General Opinion

Question 1

With regard to the first question, the Advocate General concluded that the processing exceeded what was necessary to perform the contract pursuant to Article 6(1)(b) GDPR and was unlawful under Article 6(1)(f) GDPR. This also resulted in an infringement of the data minimisation principle under Article 5(1)(c) GDPR.

The Advocate General considered the CJEU’s interpretation of Article 6(1)(b) GDPR in C-252/21 Bundeskartellamt, in which it held that processing must be “objectively indispensable for a purpose that is integral to the contractual obligation..." to be considered ‘necessary’ within the meaning of Article 6(1)(b) GDPR. The question in this case is thus whether the processing of customer titles is objectively indispensable to achieve a purpose integral to the supply of transport. The Advocate General considered that neither the communication with the customer in accordance with commonly accepted practices in commercial communications nor the goal of offering personalised transport services (such as women-only rail cars) were an integral part of the supply of the transport service. While these practices were inherent in the supply of transport service, they were not indispensable such that there was “no other practicable and less intrusive means of achieving the same purpose.” Thus, the Advocate General concluded, the processing went beyond what is necessary under Article 6(1)(b) GDPR.

In assessing the lawfulness of the processing under Article 6(1)(f) GDPR, the Advocate General considered whether the controller’s processing met the CJEU’s three-part test: (1) pursuit of a legitimate interest; (2) necessity of processing to achieve the legitimate interest; and (3) the legitimate interest is not outweighed by the interests or fundamental freedoms and rights of persons concerned. For the first step, the Advocate General cited C-252/21 Bundeskartellamt’s interpretation that under Article 13(1)(d) GDPR, the controller is responsible for informing the data subject of the legitimate interests pursued where processing is based on Article 6(1)(f) GDPR. The controller did not fulfil this obligation. Its privacy statement merely referenced ‘legitimate interest’ as its legal basis without specifying precisely what the legitimate interest was. Further, the general reference in the privacy policy, which the data subject must consciously and separately search for, did not comply with Article 13(1)(d) GDPR’s obligation to inform the data subject of the legitimate interest at the time when personal data are collected, which the Advocate General interprets as requiring that “such information is brought directly to the customer’s attention when he or she provides the data in question...”

Given the failure to inform data subjects of the legitimate interest pursued, the Advocate General found that the processing was not lawful under Article 6(1)(f) GDPR. However, it still conducted the rest of the three-part test in case the CJEU found the legitimate interest was properly communicated. Under the first step, the purpose of communication with a customer may constitute a legitimate interest. The second step, however, was not satisfied because the processing went beyond what was necessary to communicate with the customer. Finally, the Advocate General found that the controller’s legitimate interest of communication with the customer could not override the fundamental rights and freedoms of the data subject. It noted that a customer of the controller could not have reasonably expected that this data would be processed with the aim of communicating with the customer.

Question 2

The Advocate General concluded that Article 21 GDPR cannot be taken into consideration in examining the necessity of processing under Article 6(1)(f) GDPR.

The Advocate General considered that Articles 6(1) and 21 GDPR perform different functions. As a result, Article 21 GDPR cannot be taken into consideration in examining the lawfulness of processing, which is governed solely by Article 6 GDPR. If the existence of a right to object were taken into account to assess the lawfulness of processing under Article 6GDPR, it would amount to processing being accepted as lawful on the sole ground that the data subject might subsequently object to that processing. This would make the level of protection available to data subjects dependent on their diligence in objecting to the processing of their personal data, undermining the GDPR’s objective of ensuring a high level of protection.

Judgement

Question 1

The Court stated that, in accordance with the principle of data minimisation enshrined in Article 5(1)(c) GDPR, which gives expression to the principle of proportionality, the data collected must be adequate, relevant, and limited to what is necessary in light of the purposes for which those data are processed.

Regarding Article 6(1)(b) GDPR

Consequently, the court held, that for processing to be regarded as necessary for the performance of a contract according to Article 6(1)(b) GDPR, that processing must be objectively indispensable in order to enable the proper performance of that contract. Applying these standards to the case at hand, the Court found that personalisation of the commercial communication based on presumed gender identity according to a data subject’s title does not appear to be objectively indispensable in order to enable the proper performance of a rail transport contract. The controller could choose to communicate based on generic, inclusive expressions when addressing a data subject, which have no correlation with the presumed gender identity of those data subjects as that would be a workable and less intrusive solution.

The Court pointed out that, insofar as the data processing at issue aimed at adapting services for night trains (which have carriages reserved for persons with the same gender identity) and to assist passengers with disabilities, these purposes cannot justify the systematic and generalised processing of data relating to the title of all customers, including daytime passengers or passengers without any disabilities. Such processing would be disproportionate and therefore contrary to the principle of data minimisation.

Regarding Article 6(1)(f) GDPR

Regarding the proclaimed legitimate interest of the controller, the court established three cumulative conditions, that have to be satisfied in order for processing to be regarded as necessary in accordance with Article 6(1)(f) GDPR. This is not the case

1. where those data subjects were not informed of the legitimate interest pursued when those data were collected, according to Article 13(1)(d) GDPR;
2. where the processing is not carried out only insofar as is strictly necessary for the attainment of that legitimate interest; or
3. where, in light of all of the relevant circumstances, the fundamental freedoms and rights of those data subjects can prevail over that legitimate interest, as stated in Recital 47, in particular where there is a risk of discrimination on grounds of gender identity.

The referring court must assess, whether processing the title of customers of a transport undertaking to personalise the commercial communication based on their gender identity satisfies these conditions.

Question 2

The Court stated that the data subject’s right to object enshrined in Article 21(1) GDPR presupposes the existence of lawful processing. Therefore, the Court held, in accordance with the AG, that the existence of a right to object cannot be taken into consideration when assessing the lawfulness and, in particular, the need to process personal data under Article 6(1)(f) GDPR. According to the Court, any other interpretation would weaken the requirements of Article 6(1)(f) GDPR by extending the grounds for the lawfulness of the processing concerned, even though that provision must be interpreted restrictively in order to safeguard the rights of data subjects under the GDPR.

Therefore, the Court held that Article 6(1)(f) GDPR must be interpreted as meaning that, to assess the need for processing of personal data under that provision, it is not necessary to take into consideration the possible existence of a right of the data subject to object under Article 21 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.