CJEU - C‑446/21 - Maximilian Schrems v Meta Platforms Ireland Limited
CJEU - C‑446/21 Maximilian Schrems v Meta Platforms Ireland Limited | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 9(2)(e) GDPR |
Decided: | 04.10.2024 |
Parties: | Meta Platforms Ireland Limited |
Case Number/Name: | C‑446/21 Maximilian Schrems v Meta Platforms Ireland Limited |
European Case Law Identifier: | ECLI:EU:C:2024:366 |
Reference from: | OGH (Austria) |
Language: | 24 EU Languages |
Original Source: | AG Opinion Judgement |
Initial Contributor: | nzm |
The CJEU stated that public disclosure of data subject’s sexual orientation does not allow a controller to process under Article 9(2)(e) GDPR other data relating to that orientation. Also, the court noted that data retention period for the purpose of targeted advertising should reflect the category of data processed.
English Summary
Facts
In 2018, Meta Platforms Ireland (“controller”) presented new Facebook terms of service to its users in the European Union, with a view of obtaining their consent. The data subject, a Facebook user, accepted the new terms of service presented by the controller.
The data subject received advertisement for a female politician on the basis of the analysis that he was similar to other “customers” who “liked” her. He also regularly received advertising aimed at homosexuals and invitations to corresponding events. The data subject had publically referred to his homosexuality, but had never mentioned his sexual orientation on Facebook, nor published any sensitive data. He hadn’t authorised the controller to use the fields in his profile relating to his relationship status, employer, job title or education for the purposes of targeted advertising either.
Those advertisements and invitations were not based directly on his sexual orientation or his “friends” on Facebook, but on an analysis of their particular interests. The data subject claimed that the controller recorded all data relating to him, including those obtained through third parties or plug-ins, and stored them for an indefinite period.
Subsequently, during a panel discussion, the data subject referred to his sexual orientation during a speech aimed at criticizing the allegedly unlawful processing by the controller of data relating to his sexual orientation.
The data subject therefore brought an action before the Landesgericht für Zivilsachen Wien (Regional Court for Civil Matters, Vienna, Austria) seeking enforcement, a declaration and an injunction concerning the allegedly unlawful processing of his personal data. His action was dismissed at first instance on 30 June 2020 and, on appeal, by the Oberlandesgericht Wien (Higher Regional Court, Vienna, Austria) on 7 December 2020. The data subject therefore lodged an appeal with the Oberster Gerichtshof (Supreme Court).
The latter referred a total of four questions to the CJEU. However, two of them were withdrawn following the judgement of 4 July 2023, Meta Platforms and Others. The two remaining questions are:
- Does the data minimisation principle (Article 5(1)(c) GDPR) mean that all personal data held by a platform may be aggregated analysed and processed for the purposes of targeted advertising without any restriction?
- Does Article 5(1)(b) read in conjunction with Article 9(2)(e) GDPR mean that a statement made by a person about their sexual orientation for the purposes of a panel discussion permits a controller to process other data concerning their sexual orientation to offer them personalised advertising?
Advocate General Opinion
Advocate General Rantos published his opinion on the matter on 25 April 2024.
On the first question:
Firstly, the Advocate General recalled that the CJEU has stated that the principle of data minimisation set out in Article 5(1)(c) GDPR provides that personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This reflects the principle of proportionality. Therefore, the principle of data minimisation aims to minimise the restrictions on the right to the protection of personal data caused by the processing (§20 of the Opinion).
The Advocate General considered that the absence of any limitation is, by definition, contrary to the principle of data minimisation (§21 of the Opinion).
Regarding the restrictions relating to time, the Advocate General states that in the absence of a specific provision in the GDPR, the EU judicature cannot set a mandatory time limit of the retention of such data. An initially lawful processing may over time, become incompatible in particular with Article 5(1)(c) GDPR if the data is no longer necessary in light of the purposes for which they were collected. Therefore, the referring courts must assess if the period of retention of personal data by the controller is justified having regard to the legitimate aim of processing said data, for the purposes of personalised advertising (§22 of the Opinion).
Regarding the restrictions relating to the type of data, the Advocate General held that it is also for the referring court to determine whether the processing of personal data may be considered lawful in accordance with the principle of proportionality, with regard to the circumstances of the present case (§23 of the Opinion).
Secondly, the Advocate General indicated that Article 5(1)(c) uses very general conditions (“adequacy”, “relevance”, “necessity”) which demonstrates that the EU legislature intended to leave a wide discretion to the competent authorities. Indeed, these conditions can only be interpreted on a case-by-case basis (§25 of the Opinion).
However, the Advocate General considered that certain distinctions may be drawn depending on the impact on data subjects’ rights. On the one hand, a distinction can be made between 'static data' (age or sex for example) and ‘behavioural’ data (monitoring users’ browsing habits for example), as the latter is in general more intrusive as regards to the data subject’s rights. Regarding behavioural data, a distinction can also be drawn between ‘active’ behaviour (clicking on the ‘like’ button for example) and ‘passive’ behaviour (visiting a website for example), as the latter is generally more intrusive for the user. On the other hand, the Advocate General also distinguishes between the processing of personal data collected of the Facebook platform, and outside that platform, the latter being more intrusive for the data subject (§25 of the Opinion).
The Advocate General also held that it is important to take into account the reasonable expectations of data subjects (§26 of the Opinion).
Therefore, the Advocate General found that Article 5(1)(c) GDPR does not allow the processing of personal data for the purposes of targeted advertising without restriction as to time or type of data. The referred court must assess, in light of the circumstances and by applying the principle of proportionality, the extent to which the data retention period and the amount of data processed are justified with regard to the purpose (§28 of the Opinion).
On the second question:
Article 5(1)(b) GDPR establishes that personal data must be collected for specified, explicit and legitimate purposes. Article 9(1) GDPR indicates that processing of data concerning, inter alia, a natural person’s sexual orientation is prohibited, unless such processing falls under one of the exemptions provided for in Article 9(2) GDPR. Under, Article 9(2)(e) GDPR, one of these exemptions is when the personal data is made manifestly public by the data subject.
The Advocate General pointed out that the use of the adverb ‘manifestly’ and the fact that this provision is an exemption to the general prohibition requires a particularly stringent application of that exemption. The data subject must be fully aware that by an explicit act they are making their personal data accessible to anyone (§35 of the Opinion). In the present case, the sensitive data was disclosed outside the Facebook platform and outside any other platform or computer application.
The CJEU ruled that clicking on ‘Like’ or ‘Share’ buttons does not make the data resulting from the clicking manifestly public (CJEU, Meta Platforms and Others). The Advocate General made a distinction between (i) whether the data subject’s statement on his sexual orientation constitutes an act by which he manifestly made public that sexual orientation and (ii) if the response is affirmative, whether this permits the processing of this personal data for personalised advertising purposes (§39 of the Opinion).
On the first question, the Advocate General noted that Article 9(2)(e) GDPR requires two conditions to be met: an ‘objective’ condition that the personal data must be ‘manifestly made public’ and a ‘subjective’ condition that ‘the data subject’ makes it manifestly public (§41 of the Opinion). Regarding the first condition, he considered that in the present case, the panel discussion was broadcast live and then as a stream and the subject addressed at the panel was of public interest. Therefore, the data subject’s statement may have reached an indefinite public, much wider than that in attendance (§42 of the Opinion). Regarding the second condition, he held that it was possible to assume that the data subject had full awareness of making that orientation manifestly public, in particular in the context of an event which was open and accessible to the press (§43 of the Opinion).
The Advocate General also noted that although once the ‘protected’ personal data has been manifestly made public, it becomes ‘ordinary’ data, it must still however be processed lawfully under the conditions laid down in Articles 6 and 7 GDPR, and in compliance with the principles of Article 5 GDPR (§46 of the Opinion).
Therefore, a statement made by a data subject about their own sexual orientation during a panel discussion open to the public may constitute an act by which the data subject has manifestly made public those data under Article 9(2)(e) GDPR. However, this does not in itself permit the processing of those data with a view to aggregating and analysing the data for the purpose of personalised advertising.
Holding
On 4 October 2024 the CJEU answered the two remaining preliminary questions.
On the first question:
Firstly, the CJEU stated that Article 5(1)(c) GDPR does not allow the controller, in particular a social network platform, to process the data collected inside and outside the platform for the purpose of targeted advertising for unlimited time and without distinction as to type of data.
The CJEU based the reasoning on previous judgements, especially the Schufa case and the Digi case, providing for the interpretation of the data minimisation principle. The CJEU recalls that the data minimisation principle stipulates that personal data must be adequate, relevant and limited to what is necessary in relation to the processing purposes.
Regarding the temporal limitation on the processing of personal data, the CJEU emphasised that the principle of data minimisation requires the controller to limit the retention period of personal data to what is strictly necessary in the light of the objective of the processing activity.
Regarding the collection, aggregation and processing of personal data for the purposes of targeted advertising, without distinction as to the type of those data, the CJEU held that a controller may not collect personal data in a generalised and indiscriminate manner and must refrain from collecting data which are not strictly necessary for the processing purpose.
On the second question:
Secondly, the CJEU ruled that the fact that a person made a public statement about their sexual orientation does not authorise the operator of an online social network platform to process other data relation to the sexual orientation of that person. Therefore, in such a case the exemption in Article 9(2)(e) GDPR is not applicable.
Initially, the CJEU explained that Meta processed data subject’s data concerning his sexual orientation before it was disclosed publicly by the data subject. Therefore, the exception in Article Article 9(2)(e) GDPR could only affect data processing after that date.
Then, the court recalled its judgements putting forward the concept of strict interpretation of Article 9(2) GDPR (in particular, Meta C‑252/21 case). Hence, for Article 9(2)(e) GDPR specifically the data subject needs to have intention to make their data publicly accessible. Disclosure of sexual orientation during a panel organised for general public might fall within Article 9(2)(e) GDPR. Yet, such a disclosure does not refer to any kind of data relating to data subject’s sexual orientation. Thus, the processing of other personal data relating to the data subjects sexual orientation is not not covered from the exemption of Article 9(2)(e) GDPR.
Also, the fact that an individual manifestly made public information concerning their sexual orientation does not mean that the individual consented to processing of other data relating to their sexual orientation by the operator of an online social network platform within the meaning of Article 9(2)(a) GDPR.
Comment
In paragraphs 46 and 47, the Advocate General makes an interesting point by highlighting that when the data subject manifestly made public the initially 'protected' data becomes 'ordinary'. However, this personal data must still be processed under the conditions set out Articles 5, 6 and 7 GDPR.
This illustrates a multi-layered protection between Article 9 and Articles 5, 6 and 7: once the protection of Article 9 falls, the personal data remains protected under the other Articles.
Further Resources
Share blogs or news articles here!