Introduction
The Court of Justice of the European Union (CJEU) recently delivered an important judgment regarding SNCF Connect’s (the company selling rail travel documents, including train tickets) practice of mandating customers to select a title (“Monsieur” or “Madame”) during online ticket purchases. This case, brought by the association Mousse, scrutinized the necessity and lawfulness of collecting gender-related data under the General Data Protection Regulation (GDPR). The decision emphasizes key GDPR principles, particularly lawful processing Article 6(1)(b), the necessity for contractual performance, and Article 6(1)(f), legitimate interests, and data minimization.
The CJEU examined the following issues:
- Does the collection of customers’ gendered titles for personalized commercial communication comply with the GDPR principles of data minimization (Article 5(1)(c)) and lawful processing? Specifically, is it necessary for the performance of a contract (Article 6(1)(b)) or legitimate interests (Article 6(1)(f))?
- Should the existence of a data subject’s right to object under Article 21 influence the necessity assessment under Article 6(1)(f)?
Reasoning of the Court
The GDPR mandates that personal data processing be “limited to what is necessary” for the intended purpose. The Court analyzed whether SNCF Connect’s practice met this standard in relation to the legal bases of contractual performance and legitimate interest.
The Court ruled that requiring gendered titles is not indispensable for fulfilling a rail transport contract. The primary purpose of the contract is to provide transport services, which can be accomplished without collecting personal data like titles. Instead, generic and inclusive communication methods, such as neutral language, could achieve the same outcome while respecting the customer’s privacy.
SNCF Connect argued that collecting titles was relevant for adapting services, such as assigning gender-specific accommodations on night trains or assisting passengers with disabilities. However, the Court deemed this reasoning insufficient. Systematically collecting such data was disproportionate, as these scenarios involve specific groups and could be addressed through less intrusive methods.
B. Legitimate Interests
To justify processing under this provision, businesses must:
- Demonstrate a clear and legitimate interest.
- Prove the strict necessity of processing to achieve that interest.
- Show that data subjects’ rights do not override these interests.
While the Court acknowledged that personalized communication could constitute a legitimate interest, SNCF Connect’s approach failed to meet the required conditions. Customers were not explicitly informed of the legitimate interest, breaching transparency obligations. The processing was also unnecessary because less intrusive alternatives, such as generic communication, could achieve the same objectives. Simply relying on common practices or social conventions does not justify unnecessary data collection.
Moreover, the risk of discrimination, particularly against non-binary individuals, further invalidated claims of legitimate interest. This is particularly important considering Directive 2004/113, which prohibits discrimination based on gender, including gender identity, in accessing and supplying goods and services.
Right to Object
The CJEU, in response to the question from the French court, examined whether the existence of the right to object under Article 21 of the GDPR could influence the assessment of ‘necessity’ when processing data based on legitimate interest.
The CJEU unequivocally clarified that the right to object is not a factor in determining the initial lawfulness of data processing. This right only becomes applicable if the processing is already considered lawful. It cannot be used retroactively to justify data processing that doesn't meet the ‘strict necessity’ requirement outlined in Article 6(1)(f) of the GDPR.
The Court emphasized these critical points:
- Data processing must independently satisfy the conditions for lawfulness, which include demonstrating that it is strictly necessary to achieve the stated legitimate interest.
- Organizations cannot rely on the right to object as a substitute for fulfilling the ‘necessity’ requirement.
Allowing such a practice would weaken the GDPR's protective framework by shifting the burden of ensuring data protection from data controllers to data subjects. The judgment reinforces the principle that the right to object is an additional layer of protection for individuals; it cannot be exploited to excuse or compensate for unlawful data collection practices. Organizations must prioritize compliance with data minimization principles from the outset of any data processing activity.
Conclusion and Implications for Organizations
This landmark ruling highlights the necessity of aligning data collection practices with GDPR principles. Organizations must critically evaluate whether collecting specific data is essential for their operations. They should:
- Adopt inclusive and non-discriminatory practices, particularly for personal data collection.
- Ensure transparency by clearly communicating the purpose and legitimate interest behind data collection.
- Regularly assess whether less intrusive alternatives can achieve the same objectives.
- Understand that the right to object under Article 21 of the GDPR is a safeguard for lawful processing, it cannot retroactively justify or compensate for data collection that fails the necessity requirement under Article 6(1)(f).
The judgment reinforces that data processing must be “adequate, relevant, and limited to what is necessary” while avoiding risks to fundamental rights, such as discrimination. By prioritizing these factors, organizations can ensure lawful and ethical data practices and build trust and respect for their customers' privacy.
