CJEU - Case C‑394/23 Mousse
CJEU - Case C‑394/23 Mousse | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 5(1)(c) GDPR Article 6(1)(b) GDPR Article 6(1)(f) GDPR |
Decided: | 11.07.2024 |
Published: | |
Parties: | Association Mousse CNIL |
National Case Number/Name: | Case C‑394/23 Mousse |
European Case Law Identifier: | ECLI:EU:C:2024:610 |
Appeal from: | |
Appeal to: | |
Original Language(s): | English |
Original Source: | CJEU (in English) |
Initial Contributor: | lm |
The Advocate General found that processing the titles of customers purchasing rail travel documents was unnecessary; thus, the controller could not rely on contract or legitimate interest as a legal basis.
English Summary
Facts
Association Mousse lodged a complaint with the French DPA (CNIL) after a data subject purchased rail travel documents from SNCF Connect (the controller). The controller required customers to enter their title (Madame / Monsieur) when they purchased travel documents. The complaint argued that the controller should not collect this data or that, at the very least, it should offer customers additional options such as ‘neutral’ or ‘other.’
The controller argued that knowing the sex of the data subject permitted it to personalise communications in accordance with commonly accepted practices in commercial communications. It also stated that the processing permitted it to adapt the services it provided (such as providing access to women-only carriages on night trains).
On 23 March 2021, the CNIL found that the controller’s processing did not violate the GDPR. It found the processing lawful under Article 6(1)(b) GDPR, viewing it as necessary for the performance of the contract to supply transport services, and considered the processing consistent with the principle of data minimisation.
Association Mousse brought an action for annulment of the CNIL’s decision before the Conseil d’État. In addition to reiterating its legal basis and data minimisation challenges, it pointed out that the processing infringed the right to travel without disclosing one’s title, the right to respect for private life and freedom to freely define one’s gender expression. It also noted that in countries who recognize nonbinary civil statuses, the indication does not correspond to reality and may prove contrary to the principle of accuracy.
The Conseil d’État stayed the proceedings and referred two questions to the CJEU.
- In assessing whether data collection is consistent with Article 5(1(c) GDPR and Articles 6(1)(b) and (f) GDPR, may account be taken of commonly accepted practices in civil, commercial and administrative communications (here, the collection of data relating to consumers’ titles)?
- In assessing the ‘necessity’ of collection and processing of customer titles under Article 6(1)(f) GDPR, should account be taken of the fact that the customers may exercise their right to object under Article 21 GPDR?
Advocate General Opinion
Question 1
With regard to the first question, the Advocate General concluded that the processing exceeded what was necessary to perform the contract pursuant to Article 6(1)(b) GDPR and was unlawful under Article 6(1)(f) GDPR. This also resulted in an infringement of the data minimisation principle under Article 5(1)(c) GDPR.
The Advocate General considered the CJEU’s interpretation of Article 6(1)(b) GDPR in C-252/21 Bundeskartellamt, in which it held that processing must be “objectively indispensable for a purpose that is integral to the contractual obligation..." to be considered ‘necessary’ within the meaning of Article 6(1)(b) GDPR. The question in this case is thus whether the processing of customer titles is objectively indispensable to achieve a purpose integral to the supply of transport. The Advocate General considered that neither the communication with the customer in accordance with commonly accepted practices in commercial communications nor the goal of offering personalised transport services (such as women-only rail cars) were an integral part of the supply of the transport service. While these practices were inherent in the supply of transport service, they were not indispensable such that there was “no other practicable and less intrusive means of achieving the same purpose.” Thus, the Advocate General concluded, the processing went beyond what is necessary under Article 6(1)(b) GDPR.
In assessing the lawfulness of the processing under Article 6(1)(f) GDPR, the Advocate General considered whether the controller’s processing met the CJEU’s three-part test: (1) pursuit of a legitimate interest; (2) necessity of processing to achieve the legitimate interest; and (3) the legitimate interest is not outweighed by the interests or fundamental freedoms and rights of persons concerned. For the first step, the Advocate General cited C-252/21 Bundeskartellamt’s interpretation that under Article 13(1)(d) GDPR, the controller is responsible for informing the data subject of the legitimate interests pursued where processing is based on Article 6(1)(f) GDPR. The controller did not fulfil this obligation. Its privacy statement merely referenced ‘legitimate interest’ as its legal basis without specifying precisely what the legitimate interest was. Further, the general reference in the privacy policy, which the data subject must consciously and separately search for, did not comply with Article 13(1)(d) GDPR’s obligation to inform the data subject of the legitimate interest at the time when personal data are collected, which the Advocate General interprets as requiring that “such information is brought directly to the customer’s attention when he or she provides the data in question...”
Given the failure to inform data subjects of the legitimate interest pursued, the Advocate General found that the processing was not lawful under Article 6(1)(f) GDPR. However, it still conducted the rest of the three-part test in case the CJEU found the legitimate interest was properly communicated. Under the first step, the purpose of communication with a customer may constitute a legitimate interest. The second step, however, was not satisfied because the processing went beyond what was necessary to communicate with the customer. Finally, the Advocate General found that the controller’s legitimate interest of communication with the customer could not override the fundamental rights and freedoms of the data subject. It noted that a customer of the controller could not have reasonably expected that this data would be processed with the aim of communicating with the customer.
Question 2
The Advocate General concluded that Article 21 GDPR cannot be taken into consideration in examining the necessity of processing under Article 6(1)(f) GDPR.
The Advocate General considered that Articles 6(1) and 21 GDPR perform different functions. As a result, Article 21 GDPR cannot be taken into consideration in examining the lawfulness of processing, which is governed solely by Article 6 GDPR. If the existence of a right to object were taken into account to assess the lawfulness of processing under Article 6GDPR, it would amount to processing being accepted as lawful on the sole ground that the data subject might subsequently object to that processing. This would make the level of protection available to data subjects dependent on their diligence in objecting to the processing of their personal data, undermining the GDPR’s objective of ensuring a high level of protection.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.