In today's ruling in C-446/21 (Schrems v. Meta), the Court of Justice of the European Union (CJEU) has fully backed a lawsuit brought against Meta over its Facebook service. The Court decided on two questions: First, massively limiting the use of personal data for online advertisements. Secondly, limiting the use of publicly available personal data to the originally intended purposes for publication.
- Press Release by the CJEU
- Full Judgement
- Summary of the ruling on GDPRhub
Katharina Raabe-Stuppnig, lawyer representing Mr Schrems: "We are very pleased by the ruling, even though this result was very much expected."
First question: Use of data for advertising must be "minimised". So far, Meta uses all personal data it has ever collected for advertising. For example, Facebook user data can go back as far as 2004 and include data entered by the user, by other users or data collected via online tracking or tracking on mobile apps. To prevent such practices, the GDPR established the principle of "data minimisation" in Article 5(1)(c) GDPR, requiring to limit the processing to strictly necessary data. So far, Meta and many other players in the online advertising space have simply ignored this rule and did not foresee any deletion periods or limitation based on the type of personal data. The application of the 'data minimisation principle' radically restricts the use of personal data for advertising. The principle of data minimisation applies regardless of the legal basis used for the processing, so even a user who consents to personalised advertising cannot have their personal data used indefinitely. In line with the common practice of the CJEU, the Court left the details of how to implement the data minimisation principle to the national courts.
Katharina Raabe-Stuppnig: "Meta has basically been building a huge data pool on users for 20 years now, and it is growing every day. However, EU law requires 'data minimisation'. Following this ruling, only a small part of Meta's data pool will be allowed to be used for advertising - even when users consent to ads. This ruling also applies to any other online advertisement company, that does not have stringent data deletion practices."
Second question: Public criticism does not allow processing. Under Article 9(2)(e) GDPR information that is "manifestly made public" may be processed by a company, because the legislator assumes that the data subject agreed to the use. Mr Schrems argued that his public comments were made years after the processing of other information took place. His later comments could not be seen as an agreement to the processing of other information years ago and cannot have "traveled" back in time. Other parties to the procedure also questioned if the mere mention of a fact during a public discussion would amount to making such information "manifestly public".
Katharina Raabe-Stuppnig: "It would have a huge chilling effect on free speech, if you would lose your right to data protection in the moment that you criticise unlawful processing of personal data in public. We welcome that the CJEU has rejected this notion."
Background:
History of the case. The case concerns a civil procedure between Max Schrems, as an individual, and Meta Ireland Platforms Limited (as the operator of "Facebook") before the Austrian Courts. The case was first filed in 2014 and first fully heard in Austria in 2020 and concerns a large number of GDPR violations, including the lack of a legal basis for advertising and the like. The Austrian Supreme Court has referred four questions to the CJEU in 2021. However, as another case (C-252/21 Bundeskartellamt) partly covered similar questions, the CJEU "paused" the case between Mr Schrems and Meta until 2024. The original questions 1 and 3 were (indirectly) "won" because the CJEU sided with the view of Mr Schrems in C-252/21 Bundeskartellamt. The remainder of the case was then heard in Luxembourg on 8 February 2024, but limited to two remaining questions (original questions 2 and 4) that had not already been decided in C-252/21 Bundeskartellamt. The remaining questions were:
- Original Question 2: "Is Article 5(1)(c) of the GDPR (data minimisation) to be interpreted as meaning that all personal data held by a platform such as that in the main proceedings (by way of, in particular, the data subject or third parties on and outside the platform) may be aggregated, analysed and processed for the purposes of targeted advertising without restriction as to time or type of data?"
- Original Question 4: "Is Article 5(1)(b) of the GDPR, read in conjunction with Article 9(2)(e) thereof, to be interpreted as meaning that a statement made by a person about his or her own sexual orientation for the purposes of a panel discussion permits the processing of other data concerning sexual orientation with a view to aggregating and analysing the data for the purposes of personalised advertising?"
Data minimisation. The original question 2 concerns Meta's approach of claiming that all personal data is essentially going into a big "data pool" and can be used for personal advertising indefinitely - without any limitation - as this seems to be an obvious violation of the data minimisation principle. While in some cases there is a clear limit for deletion (e.g. when a legal obligation to keep records ends), the issue is more complex when it comes to advertising. Companies must develop data management protocols to gradually delete unneeded data or stop using them.
Further use of sensitive data. Original question 4 concerns an argument by the First Instance Court (and partly by Meta) that Mr Schrems mentioned his sexual orientation at an event in Vienna and may therefore have (implicitly) consented to the processing of any personal data relating to sexual orientation (and indeed sex life, which is separately protected in Article 9 GDPR) for advertising that took place years before the public statement. There is agreement that these statements were made public. However, Mr Schrems denies that Meta may therefore have processed other - highly personal - details in the years before. Mr Schrems emphasises that the principle of "purpose limitation" applies in parallel and that information shared for the purpose of critising unlawful processing by Meta cannot (retroactively) allow the use of personal data for a completely different purpose, such as advertising.