- CJEU press releases (look for C-446/21 - Schrems)
- Full AG Opinion
Katharina Raabe-Stuppnig, lawyer representing Mr Schrems: "We are very pleased by the opinion, even though this result was very much expected."
Use of data for advertising must be limited by time, type and source. So far, Meta uses all the data it has ever collected for advertising. For example, Facebook user data can go back as far as 2004. To prevent such practices, the GDPR established the principle of "data minimisation" in Article 5(1)(c) GDPR. So far, Meta has simply ignored this and has not foreseen any deletion periods. The application of the 'data minimisation principle' radically restricts the use of personal data for advertising - even if users have consented to ads. It applies regardless of the legal basis used for the processing, so even a user who consents to personalised advertising cannot have their personal data used indefinitely. While the AG says that the national court would have to decide on the details, factors may be the type of personal data (like age -v- behavioral data), the source (like actively provided data -v- passiv technical tracking) or the context of the collection (like on a social network -v- on third pages).
Katharina Raabe-Stuppnig: "Meta has basically been building a huge data pool on users for 20 years now, and it is growing every day. EU law, however, requires 'data minimisation'. If the Court follows the opinion, only a small part of this pool will be allowed to be used for advertising - even if have consented to ads."
Limits on "scraping" of personal data - even if "manifestly made public". In the context of the highly personal information that Meta collected about Mr Schrems (via advertising partners), a discussion arose as to whether the subsequent public criticism of such practices would lead to a "waiver" of Mr Schrems' right to privacy in respect of the initially unlawful processing. Mr Schrems always agreed that he made such information public and it generally falls under Article 9(2)(e) GDPR ("mainfestly made public") - while some Member States before the CJEU were questioning this element. While this is a very specific situation of a single user, the interpretation of the law is relevant in the broader context of "web scraping", where publicly available information is simply taken and processed for other purposes. Mr Schrems argued that the principle of "purpose limitation" in Article 5(1) GDPR must be applied in parallel here. This is now also argued by the Advocate General.
Katharina Raabe-Stuppnig: "Just because some information is public, does not mean it can be used for any other purposes. If you make a political comment on social media, it cannot be used for targeting political advertising at you. If users lose all their rights to published information, it would have a huge chilling effect on free speech."
What is this case about? The case concerns a civil procedure between Max Schrems, as an individual, and Meta Ireland Platforms Limited (as the operator of "Facebook") before the Austrian Courts. The case was first fully heard in Austria in 2020 and concerns a large number of GDPR violations, including the lack of a legal basis for advertising and the like. The Austrian Supreme Court has referred four questions to the CJEU in 2021. However, as another case (C-252/21 Bundeskartellamt) partly covered similar questions, the CJEU "paused" the case between Mr Schrems and Meta until 2024. The original questions 1 and 3 were (indirectly) "won" because the CJEU sided with the view of Mr Schrems in C-252/21 Bundeskartellamt. The remainder of the case was then heard in Luxembourg on 8 February 2024, but limited to two remaining questions (original questions 2 and 4) that had not already been decided in C-252/21 Bundeskartellamt. The remaining questions are:
- Original Question 2: Is Article 5(1)(c) of the GDPR (data minimisation) to be interpreted as meaning that all personal data held by a platform such as that in the main proceedings (by way of, in particular, the data subject or third parties on and outside the platform) may be aggregated, analysed and processed for the purposes of targeted advertising without restriction as to time or type of data?
- Original Question 4: Is Article 5(1)(b) of the GDPR, read in conjunction with Article 9(2)(e) thereof, to be interpreted as meaning that a statement made by a person about his or her own sexual orientation for the purposes of a panel discussion permits the processing of other data concerning sexual orientation with a view to aggregating and analysing the data for the purposes of personalised advertising?
Data minimisation. The original question 2 concerns Meta's approach of claiming that all personal data is essentially going into a big "data pool" and can be used for personal advertising indefinitely - without any limitation - as this seems to be an obvious violation of the data minimisation principle. While in some cases there is a clear limit for deletion (e.g. when a legal obligation to keep records ends), the issue is more complex when it comes to advertising.
Katharina Raabe-Stuppnig: "At the moment, the online advertising industry simply stores everything forever. The law is clear that the processing must stop after a few days or weeks. For Meta, this would mean that a large part of the information they have collected over the last decade would become taboo for advertising."
Further use of sensitive data. Original question 4 concerns an argument by the First Instance Court (and partly by Meta) that Mr Schrems mentioned his sexual orientation at an event in Vienna and may therefore have (implicitly) consented to the processing of any personal data relating to sexual orientation (and indeed sex life, which is separately protected in Article 9 GDPR) for advertising that took place years before the public statement. There is agreement that these statements were made public. However, Mr Schrems denies that Meta may therefore have processed other - highly personal - details in the years before. Mr Schrems emphasises that the principle of "purpose limitation" applies in parallel and that information shared for the purpose of critising unlawful processing by Meta cannot (retroactively) allow the use of personal data for a completely different purpose, such as advertising.
Katharina Raabe-Stuppnig: "This issue is highly relevant for anyone who makes a public statement. Do you retroactively waive your right to privacy for even totally unrelated information, or can only the statement itself be used for the purpose intended by the speaker? If the Court interprets this as a general 'waiver' of your rights, it would chill any online speech on Instagram, Facebook or Twitter."