The ECJ has ruled in the Judgment C‑446/21 of October 4, 2024 deals with the question of whether. The ruling concerns another legal dispute between Max Schrems and Meta. A comment from noyb was here published.
The background to the ruling is the fact that Meta – Facebook – can collect information about visits to third-party sites via various tools, namely social plug-ins and pixels integrated on third-party sites. This also includes pages of “political parties and […] websites aimed at a homosexual audience”. When Schrems visited such sites, Meta collected corresponding data about him and, as a result, Schrems received advertising for an Austrian politician and advertising aimed at a homosexual audience.
Proportionality (and the core content of the fundamental right to data protection)
The ECJ first comments on the Proportionality principle (pursuant to Art. 5 para. 1 lit. c and Art. 5 para. 2 GDPR):
58 In any case, a unlimited storage personal data of users of a social network platform for the purposes of targeted advertising as more disproportionate interference with the rights that the GDPR guarantees these users.
59 As regards, third, the fact that the personal data at issue in the main proceedings are collected, aggregated, analyzed and processed without distinction as to their nature for the purposes of targeted advertising, the Court has already held that the controller may not collect personal data in a general and indiscriminate manner and that it must refrain from collecting data for the purposes of targeted advertising. which are not strictly necessary for the purposes of the processing […].
60 Furthermore, the person responsible must take appropriate measures in accordance with Art. 25 (2) GDPRwhich ensure that, by default, only personal data whose processing is necessary for the specific processing purpose is processed. According to this provision, this obligation applies, among other things, to the amount of personal data collected, the scope of its processing and its accessibility.
Although it is A matter for the person responsibleto limit its data processing accordingly, which the national court must examine:
57 It is therefore […] for the national court, taking into account all the relevant circumstances and applying the principle of proportionality referred to in Article 5(1)(c) GDPR, to assess whether the retention of personal data by the controller is reasonably justified in view of the objective of enabling the display of personalized advertising. c GDPR, to assess whether the duration of the storage of the personal data by the controller is reasonably justified with regard to the objective of enabling the display of personalized advertising.
However, the procurement of user data constitutes a serious interference in the present case. The ECJ therefore refrains from leaving the balancing of interests to the substantive court and thus to the arguments of the controller. Instead, it derives from Art. 5 GDPR a per se prohibition of the processing in question, which is particularly extensive in various respects. As a result, the ECJ apparently sees the Core content of the fundamental rights enshrined in the Charter injured:
65 In the light of the foregoing, the answer to the second question is that Art. 5(1)(c) GDPR must be interpreted as meaning that the c GDPR must be interpreted as meaning that the principle of “data minimization” laid down therein precludes that all personal datathat a controller such as the operator of an online platform for a social network receives from the data subject or from third parties and which were collected both on and off this platform, unlimited in time and without distinction aggregated, analyzed and processed according to their nature for the purposes of targeted advertising.
On the “obviously made public” data
The next point concerns the question of when special categories of personal data “obviously made public” – in this case, the processing prohibition of Art. 9 para. 1 GDPR is lifted (para. 2 lit. e). The case concerned a panel discussion in which Max Schrems had spoken out about his homosexuality. The ECJ initially states here that lit. e should be interpreted narrowly as an exception – a dogmatic nonsense that is also frequently heard in Switzerland; exceptions are not to be interpreted narrowly, but simply according to the usual methods.
In any case, the decisive factor is whether the person concerned Intent personal data in question expressly and by a clear affirmative act of the data subject. accessible to the general public to make (ECJ, C‑252/21para. 77). This “could not be ruled out” in the present case:
78 In the present case, it is apparent from the order for reference that the […] panel discussion, in the context of which Mr Schrems expressed his views on his sexual orientation, was the The publicwho were able to obtain tickets to participate within the limits of available seats, and that the panel discussion transmitted via streaming was made. In addition, a recording of the panel discussion will later be available as a Podcast and on the Youtube channel have been published by the Commission.
79 In those circumstances, and subject to the verifications to be carried out by the national court, it cannot be ruled out that the statement in question, even if it was part of a broader speech and was made for the sole purpose of criticizing the processing of personal data by Facebook, constitutes an act by which the data subject, in full knowledge of the facts, manifestly made public his sexual orientation within the meaning of Article 9(2)(e) of the GDPR.
However, this does not mean that Meta is also other data on Schrems’ sexual orientation. Rather, the legal basis covers exclusively the published data:
81 On the one hand, it would be contrary to Article 9(2)(e) GDPR, which must be interpreted narrowly, if all data relating to a person’s sexual orientation were to be excluded from the protection of Article 9(1) GDPR simply because the data subject has obviously made personal data relating to their sexual orientation public.
82 Secondly, the fact that a person has obviously made data about their sexual orientation public does not mean that they have given their consent within the meaning of Art. 9(2)(a) GDPR for the operator of an online platform for a social network to process other data about their sexual orientation.