On 4 October 2024, the Court of Justice of the European Union (“CJEU”) issued several rulings relevant to data protection including a decision related to the use of personal data in the context of targeted online advertising (C-446/21).

It is worth remembering that while CJEU cases are no longer binding in the UK, UK data protection law remains consistent (for the time being) with EU data protection law, and interpretations of similar cases in the UK are likely to have similar outcomes.

In addition to this, the new Labour government has indicated on several occasions that it aims to reset relations with the EU, and it recently revoked commencement regulations brought in by the previous government, which had aimed to encourage UK courts to depart from assimilated case law. This suggests that (at least for the time being), that CJEU cases are still highly significant when interpreting UK data protection law.

Summary

The CJEU held that in the context of online advertising (though the implications are broader), organisations cannot use all personal data that they obtain for the purposes of targeted advertising without restriction as to time, and without distinction as to type of data.

It also ruled that where a data subject ‘manifestly makes public’ his or her special category personal data, this does not mean an organisation can process that data without restriction.

Background

The ruling relates to an action brought by Max Schrems, who had filed a lawsuit against Meta relating to how Meta processed his sensitive personal data. Meta collects personal data of Facebook users both on and outside the Facebook network (and its other social networks/online services), including data relating to online platform visits and third-party websites and apps. Max Schrems (historically) had made a statement about his sexual orientation during a public panel discussion, and using that data, Meta was able to identify Max Schrems’ interest in sensitive topics (including his sexual orientation), which Meta used for targeted advertising. 

Max Schrems regularly received advertising on Facebook targeting homosexual persons and invitations to related events, even though he had never previously shown an interest in those events on the platform (in other words, Max Schrems had never indicated his sexual orientation on his Facebook profile). Max Schrems requested (among other things), that Meta cease processing his personal data for the purposes of personalised advertising, and from using data derived from visits to third-party websites obtained by third parties.

The ruling

The CJEU addressed two main questions relating to:

  1. Could Article 5(1)(c) GDPR be interpreted as meaning that all personal data held by a platform such as Facebook could be processed for the purposes of targeted advertising without restriction as to time or type of data - irrespective of whether the data was collected from within or outside the platform, or from a third-party source - (the ‘second question’ on data minimisation)?; and
  2. Was the processing of Max Schrems’ personal data relating to his sexual orientation permissible on the basis that he had made such information ‘manifestly public’? (one of the exceptions for processing special category personal data within the definition of Article 9(1)(e) GDPR) – referred to as the ‘fourth question’ in the ruling.

On both questions, the CJEU found the following:

  1. The second question - A controller cannot process personal data for the purposes of targeted advertising without restriction as to time and without restriction as to type of data, as this falls foul of the data minimisation principle. The CJEU held that: 

    “The storage of the personal data of the users of a social network platform for an unlimited period for the purpose of targeted advertising must be considered to be a disproportionate interference in the rights guaranteed to those users by the GDPR.”
     
  2. The fourth question - While it may have been the case that Max Schrems manifestly made public data relating to his sexual orientation, this did not authorise Meta to then use that data for advertising purposes. The CJEU held that to do so would be “contrary to the restrictive interpretation that should be made of Article 9(2)(e) of the GDPR ”.

Implications

The CJEU considered that Meta’s collection of user data both on and outside their platform was “particularly extensive”, as it relates to potentially unlimited data and has a “significant impact on the user…which may give rise to the feeling that his or her private life is being continuously monitored”. The indiscriminate use of personal data for advertising purposes (regardless of whether this data was special category), was deemed not to be a proportionate interference of the rights guaranteed to individuals under the GDPR. 

The key point from the fourth question was that even though Max Schrems may have ‘manifestly made public’ his special category data for the purposes of allowing Meta to process that data, it did not then provide Meta with a blank cheque to process that data however it saw fit.

So, what does this mean in practice?

Meta has been fined for non-compliance with the data minimisation principle, so will need to revisit its data cleansing and retention policies and processes in order to refine their data sets for targeted advertising. 

While this decision focusses on Meta’s practices there is also food for thought for online advertisers, particularly those who process personal data for targeted advertising purposes. Meta usually positions itself as joint controller with advertisers and so any such advertisers should proceed with caution until they have sought and received assurances from Meta around their compliance in light of this decision. At the time of writing there have been no public statements from Meta giving advertisers comfort in this regard. 

This decision appears to be the latest in a (long) line of decisions aimed at social media platforms causing them to take a deep dive into their data sets to really understand what they have, what they are using and how they are complying with the GDPR. In some circumstances putting stricter controls in place around how data sets can be used for retargeting would appear sensible considering this latest ruling from the CJEU.