The Court of Justice of the European Union (CJEU) recently delivered a significant ruling on the processing of personal data for personalized advertising. The court’s decision imposes strict limitations on how organizations can use such data, particularly when it involves sensitive information.
Background of the Case
The case originated from a lawsuit filed in Austria by privacy activist Maximilian Schrems, challenging Meta Platforms Ireland’s processing of his personal data. Schrems argued that Meta unlawfully used his data, including sensitive information about his sexual orientation, for targeted advertising. Meta collects extensive data of Facebook users through various means, such as cookies, social plug-ins, and pixels, tracking users’ activities both on and off the platform. This data collection allows Meta to infer users’ interests and serve personalized ads. The case was brought before the CJEU after two key questions were referred for interpretation.
Questions Before the CJEU
The first question was whether Article 5(1)(c) of the GDPR (data minimization principle) allows a platform to aggregate, analyze, and process all personal data it holds for targeted advertising without restrictions concerning the storage time or the type of data.
The second question examines whether a statement made by a person about their own sexual orientation for the purposes of a panel discussion permits the processing of other data concerning sexual orientation in order to aggregate and analyze the data for the purposes of personalized advertising. This hinges on the interpretation of two provisions:
- Article 5(1)(b), which mandates that personal data must be processed for specified, legitimate purposes and not in a way incompatible with those purposes.
- Article 9(2)(e), which allows the processing of sensitive data if the data subject has made that data manifestly public.
First Question: Data Minimization Principle
The Court emphasized that the data minimization principle requires personal data to be adequate, relevant, and limited to what is necessary for the processing. This reflects the proportionality principle, meaning that the processing of personal data should be strictly necessary for the intended purpose, and any excessive or indiscriminate processing is unlawful.
The Court highlighted Article 5(1)(e), which requires that personal data be kept in a form that permits identification of data subjects for only as long as is necessary for the purposes of processing. Consequently, the Court declared that even if data processing is initially lawful, it can become unlawful if the data is kept beyond the necessary period or if it is used for purposes other than the original intention. Once the original purpose is fulfilled, the data must be deleted. The Court further stated that in the light of the principle of data minimisation, the controller may not engage in the collection of personal data in a generalized and indiscriminate manner and must refrain from collecting data that is not strictly necessary for the purposes of the processing.
As per the ruling, Meta Platforms Ireland was collecting personal data of Facebook users both on and outside the social network and also followed users’ navigation patterns on those sites through the use of social plug-ins and pixels embedded in the relevant websites. The Court held that such extensive processing is characterized by a serious interference with the fundamental rights of the data subjects, particularly the right to respect for private life and protection of personal data.
Whereas the referring court shall make the final assessment of whether the processing conducted by Meta was justified in light of its objective of dissemination of targeted advertising, the Court declared that the principle of data minimization precludes controllers, such as social media platform operators, from aggregating, analyzing and processing personal data collected either on or outside the platform for the purposes of targeted advertising, without any restrictions as to time and without distinction as to the type of data.
Second Question: Public Disclosure of Sensitive Data
The second question considered whether Schrem's statement about his sexual orientation at a public panel discussion had given implied consent for Meta to process additional data related to his sexual orientation for advertisement. The CJEU recognized that under Article 9(2)(e) of the GDPR, which provides one of the exemptions to the general prohibition on processing of sensitive data, sensitive data can be processed if the individual has manifestly made it public.
However, the Court clarified that even if Schrems had made his sexual orientation public during the discussion, this did not authorize Meta to process additional data related to his sexual orientation obtained from third-party websites and apps, with a view to aggregating and analyzing such data for the purposes of personalized advertising. The court emphasized that the exception in Article 9(2)(e) must be interpreted strictly, meaning that the fact that a person has manifestly made a public statement concerning their sexual orientation does not imply that that person has given their consent to the processing of other data relating to their sexual orientation by the operator of an online social network platform.
Conclusion
The CJEU’s ruling has significant implications for how organizations handle personal data. Organizations must ensure that personal data is collected for specific and legitimate purposes and that further processing is not done in ways that are incompatible with those purposes. The amount of data processed should be restricted to what is strictly necessary to achieve the intended purpose.
Furthermore, personal data must only be retained for as long as needed to fulfill the original processing purpose. Importantly, organizations cannot assume that the public disclosure of certain information permits unrestricted processing of related data without proper justification or further consent. This decision is a crucial reminder for organizations to review and refine their data processing practices to ensure compliance with data protection laws. Strengthening data governance frameworks that prioritize privacy and ensure minimal and proportionate use of personal data enables organizations to show their commitment to regulatory compliance.