CJEU again confronted with Meta – Permissible extent of data use for advertising

by Dr. Gerald Trieb and Jennifer Salomon//

The CJEU once again had to deal with questions concerning details on the processing of personal data on the social media platform Facebook. Meta collects data either on or outside the social media platform and aggregates, analyses, and processes personal data, using Cookies, Social Plug-Ins, and Pixels without any time limit and without differentiating between the type of data obtained from the data subject or from third parties. With the available data, Meta is able to identify the users’ interest in sensitive topics, such as health, sexual orientation, ethnic groups and political parties, and is thereby able to direct targeted advertising at them relating to, for example, a given sexual orientation or political belief.

Max Schrems, honorary chairman of noyb, sued Meta in Austria for enforcement, declaratory and injunctive relief against the allegedly unlawful processing of his personal data because he received advertising concerning an Austrian politician, which was based on the analysis done by Meta indicating that he had points in common with other users who had ‘liked’ that politician. He also regularly received advertising targeting homosexual people and invitations to related events, although he had never previously shown any interest in those events and did not know where they were to be held. However, he did speak about his homosexuality at a panel discussion, which was also available on the Internet. According to the OGH the advertising and those invitations were not based directly on the sexual orientation of Max Schrems and his “friends”, but rather on an analysis of their interests, in this case on the fact that one of his friends “liked” a product.

The Austrian Supreme Court initially referred four questions to the CJEU. Two of these questions were withdrawn due to the decision of the CJEU judgment of 4 July 2023, C-252/21 Meta Platforms et al. The two remaining questions are:

  1. Does the data minimization principle (Article 5(1)(c) GDPR) mean that all personal data held by a platform may be aggregated analyzed and processed for the purposes of targeted advertising without any restriction?

  2. Does Article 5(1)(b) read in conjunction with Article 9(2)(e) GDPR mean that a statement made by a person about their sexual orientation for the purposes of a panel discussion permits a controller to process other data concerning their sexual orientation to offer them personalized advertising?

Meta must minimize data use for targeted advertising

In response to the first question the CJEU points out that Article 5(1)(c) GDPR, which sets out the data minimization principle, provides that personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. In any event, according to the CJEU the storage of the personal data of the users of a social network platform for an unlimited period for the purpose of targeted advertising must be considered a disproportionate interference in the rights guaranteed to those users by the GDPR. Furthermore, the CJEU concludes from the principle of data minimization that the indiscriminate use of all personal data for advertising purposes, irrespective of the level of sensitivity of this data, is not proportionate.

Although the CJEU has not given any indication of a more precise weighing of interests except that the longer the storage period of those data is, the greater the impact on the interests and private life of the data subject will be, the Advocate General has suggested that a distinction can be made between static data (e.g. age or sex) and behavioral data (e.g. monitoring browsing habits), as the latter is in general more intrusive as regards to the data subject’s rights. Regarding behavioral data, a distinction can also be drawn between active behavior (e.g. clicking on the “like” button) and passive behavior (e.g. visiting a website), as the latter is generally more intrusive for the user. On the other hand, the Advocate General also distinguishes between the processing of personal data collected on the Facebook platform, and outside that platform, the latter being more intrusive for the data subject. In particular and according to the CJEU, the tracking of navigation behavior outside the platform can, due to the particularly extensive processing, lead to the feeling that private life is being continuously monitored and therefore represents a serious interference with the fundamental rights of the data subject.

To ensure the above-mentioned restriction of processing in relation to the principle of data minimization, the CJEU demands that according to Art 25(2) GDPR the controller must ensure that, by default, only personal data which are necessary to achieve the purpose are processed.

The manifest publication of data does not lead to a general exclusion of the special protection under Art 9 GDPR

In response to the second question, the CJEU points out that the processing of sensitive data is permissible under Art 9(2)(e) GDPR if the data has manifestly been made public by the data subject with full knowledge of the facts, which, according to the CJEU, cannot be ruled out due to the disclosure of homosexuality during the public panel discussion. However, this circumstance does not authorize the processing of other personal data, e.g. relating to sexual orientation, because it would contradict the restrictive interpretation of Art 9(2)(e) GDPR to assume that sensitive data is no longer covered by the scope of protection under Art 9(1) solely because the data subject has manifestly made public certain personal data relating to his or her sexual orientation.

The Oberlandesgericht Wien (Court of Appeal) considered the processing to be necessary within the meaning of Art 6(1)(b) GDPR. Although the Supreme Court pointed out that this view was not self-evident and referred a question to the CJEU on the interpretation of Art 6(1)(b) GDPR, it withdrew it with reference to C-252/21 (Meta Platforms) of 4 July 2023, which is why the CJEU did not have to answer it in the present proceedings. However, the fact that the Supreme Court did not withdraw the question referred under Art 9 GDPR could indicate that it considers a legal basis under Art 6 GDPR to exist, as it could otherwise directly deny the lawfulness of the processing due to the lack of a legal basis under Art 6 GDPR. According to CJEU E C-252/21 (Meta Platforms), the processing of personal data for the personalization of content and for the consistent and seamless use of Meta Group services by Meta cannot be considered necessary for the performance of the contract. However, it should be noted that Meta changed its concept following C-252/21 (Meta Platforms) but before the decision in this case and now offers a so-called “pay or okay” model. It therefore remains to be seen whether the Supreme Court will take this distinction as an opportunity to clarify whether the processing of the data in question may be based on the performance of the contract pursuant to Art 6(1)(b) GDPR on the basis of the pay-or-go model. Clearity on this question would be warmly appreciated.

Dr. Gerald Trieb is Partner at Knyrim Trieb Rechtsanwälte, Vienna (Austria)

Jennifer Salomon is Associate at Knyrim Trieb Rechtsanwälte, Vienna (Austria)