ECJ, C/422/5 – Schrems c. Meta: Dis­pro­por­tio­na­te pro­ce­s­sing by Meta; data obvious­ly made public

The ECJ has ruled in the Judgment C‑446/21 of Octo­ber 4, 2024 deals with the que­sti­on of whe­ther. The ruling con­cerns ano­ther legal dis­pu­te bet­ween Max Schrems and Meta. A com­ment from noyb was here published.

The back­ground to the ruling is the fact that Meta – Face­book – can coll­ect infor­ma­ti­on about visits to third-par­ty sites via various tools, name­ly social plug-ins and pixels inte­gra­ted on third-par­ty sites. This also inclu­des pages of “poli­ti­cal par­ties and […] web­sites aimed at a homo­se­xu­al audi­ence”. When Schrems visi­ted such sites, Meta coll­ec­ted cor­re­spon­ding data about him and, as a result, Schrems recei­ved adver­ti­sing for an Austri­an poli­ti­ci­an and adver­ti­sing aimed at a homo­se­xu­al audience.

Pro­por­tio­na­li­ty (and the core con­tent of the fun­da­men­tal right to data protection)

The ECJ first comm­ents on the Pro­por­tio­na­li­ty prin­ci­ple (pur­su­ant to Art. 5 para. 1 lit. c and Art. 5 para. 2 GDPR):

58 In any case, a unli­mi­t­ed sto­rage per­so­nal data of users of a social net­work plat­form for the pur­po­ses of tar­ge­ted adver­ti­sing as more dis­pro­por­tio­na­te inter­fe­rence with the rights that the GDPR gua­ran­tees the­se users.

59 As regards, third, the fact that the per­so­nal data at issue in the main pro­ce­e­dings are coll­ec­ted, aggre­ga­ted, ana­ly­zed and pro­ce­s­sed wit­hout distinc­tion as to their natu­re for the pur­po­ses of tar­ge­ted adver­ti­sing, the Court has alre­a­dy held that the con­trol­ler may not coll­ect per­so­nal data in a gene­ral and indis­cri­mi­na­te man­ner and that it must refrain from coll­ec­ting data for the pur­po­ses of tar­ge­ted adver­ti­sing. which are not strict­ly neces­sa­ry for the pur­po­ses of the pro­ce­s­sing […].

60 Fur­ther­mo­re, the per­son respon­si­ble must take appro­pria­te mea­su­res in accordance with Art. 25 (2) GDPRwhich ensu­re that, by default, only per­so­nal data who­se pro­ce­s­sing is neces­sa­ry for the spe­ci­fic pro­ce­s­sing pur­po­se is pro­ce­s­sed. Accor­ding to this pro­vi­si­on, this obli­ga­ti­on applies, among other things, to the amount of per­so­nal data coll­ec­ted, the scope of its pro­ce­s­sing and its accessibility.

Alt­hough it is A mat­ter for the per­son respon­si­bleto limit its data pro­ce­s­sing accor­din­gly, which the natio­nal court must examine:

57 It is the­r­e­fo­re […] for the natio­nal court, taking into account all the rele­vant cir­cum­stances and app­ly­ing the prin­ci­ple of pro­por­tio­na­li­ty refer­red to in Artic­le 5(1)(c) GDPR, to assess whe­ther the reten­ti­on of per­so­nal data by the con­trol­ler is rea­son­ab­ly justi­fi­ed in view of the objec­ti­ve of enab­ling the dis­play of per­so­na­li­zed adver­ti­sing. c GDPR, to assess whe­ther the dura­ti­on of the sto­rage of the per­so­nal data by the con­trol­ler is rea­son­ab­ly justi­fi­ed with regard to the objec­ti­ve of enab­ling the dis­play of per­so­na­li­zed advertising.

Howe­ver, the pro­cu­re­ment of user data con­sti­tu­tes a serious inter­fe­rence in the pre­sent case. The ECJ the­r­e­fo­re refrains from lea­ving the balan­cing of inte­rests to the sub­stan­ti­ve court and thus to the argu­ments of the con­trol­ler. Instead, it deri­ves from Art. 5 GDPR a per se pro­hi­bi­ti­on of the pro­ce­s­sing in que­sti­on, which is par­ti­cu­lar­ly exten­si­ve in various respects. As a result, the ECJ appar­ent­ly sees the Core con­tent of the fun­da­men­tal rights enshri­ned in the Char­ter injured:

65 In the light of the fore­go­ing, the ans­wer to the second que­sti­on is that Art. 5(1)(c) GDPR must be inter­pre­ted as mea­ning that the c GDPR must be inter­pre­ted as mea­ning that the prin­ci­ple of “data mini­mizati­on” laid down the­r­ein pre­clu­des that all per­so­nal datathat a con­trol­ler such as the ope­ra­tor of an online plat­form for a social net­work recei­ves from the data sub­ject or from third par­ties and which were coll­ec­ted both on and off this plat­form, unli­mi­t­ed in time and wit­hout distinc­tion aggre­ga­ted, ana­ly­zed and pro­ce­s­sed accor­ding to their natu­re for the pur­po­ses of tar­ge­ted advertising.

On the “obvious­ly made public” data

The next point con­cerns the que­sti­on of when spe­cial cate­go­ries of per­so­nal data “obvious­ly made public” – in this case, the pro­ce­s­sing pro­hi­bi­ti­on of Art. 9 para. 1 GDPR is lifted (para. 2 lit. e). The case con­cer­ned a panel dis­cus­sion in which Max Schrems had spo­ken out about his homo­se­xua­li­ty. The ECJ initi­al­ly sta­tes here that lit. e should be inter­pre­ted nar­row­ly as an excep­ti­on – a dog­ma­tic non­sen­se that is also fre­quent­ly heard in Switz­er­land; excep­ti­ons are not to be inter­pre­ted nar­row­ly, but sim­ply accor­ding to the usu­al methods.

In any case, the decisi­ve fac­tor is whe­ther the per­son con­cer­ned Intent per­so­nal data in que­sti­on express­ly and by a clear affir­ma­ti­ve act of the data sub­ject. acce­s­si­ble to the gene­ral public to make (ECJ, C‑252/21para. 77). This “could not be ruled out” in the pre­sent case:

78 In the pre­sent case, it is appa­rent from the order for refe­rence that the […] panel dis­cus­sion, in the con­text of which Mr Schrems expres­sed his views on his sexu­al ori­en­ta­ti­on, was the The publicwho were able to obtain tickets to par­ti­ci­pa­te within the limits of available seats, and that the panel dis­cus­sion trans­mit­ted via strea­ming was made. In addi­ti­on, a recor­ding of the panel dis­cus­sion will later be available as a Pod­cast and on the You­tube chan­nel have been published by the Commission.

79 In tho­se cir­cum­stances, and sub­ject to the veri­fi­ca­ti­ons to be car­ri­ed out by the natio­nal court, it can­not be ruled out that the state­ment in que­sti­on, even if it was part of a broa­der speech and was made for the sole pur­po­se of cri­ti­ci­zing the pro­ce­s­sing of per­so­nal data by Face­book, con­sti­tu­tes an act by which the data sub­ject, in full know­ledge of the facts, mani­fest­ly made public his sexu­al ori­en­ta­ti­on within the mea­ning of Artic­le 9(2)(e) of the GDPR.

Howe­ver, this does not mean that Meta is also other data on Schrems’ sexu­al ori­en­ta­ti­on. Rather, the legal basis covers exclu­si­ve­ly the published data:

81 On the one hand, it would be con­tra­ry to Artic­le 9(2)(e) GDPR, which must be inter­pre­ted nar­row­ly, if all data rela­ting to a person’s sexu­al ori­en­ta­ti­on were to be exclu­ded from the pro­tec­tion of Artic­le 9(1) GDPR sim­ply becau­se the data sub­ject has obvious­ly made per­so­nal data rela­ting to their sexu­al ori­en­ta­ti­on public.

82 Second­ly, the fact that a per­son has obvious­ly made data about their sexu­al ori­en­ta­ti­on public does not mean that they have given their con­sent within the mea­ning of Art. 9(2)(a) GDPR for the ope­ra­tor of an online plat­form for a social net­work to pro­cess other data about their sexu­al orientation.

Aut­ho­ri­ty

Area

Topics

Rela­ted articles