Areas of Practice
29th Oct 2024
“An online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data”
The Court of Justice of the European Union (CJEU) issued an important judgment on 4 October 2024 concerning the processing of sensitive data (or special categories of personal data) under the General Data Protection Regulation (GDPR), including inter alia data concerning sexual orientation, by social networks without the data subject’s consent.
It is important to note that the processing of special categories of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited under the GDPR, unless one of the exemptions described in article 9(2) of the GDPR is applicable.
Facts
Meta Platforms Ireland Ltd (Meta) manages the provision of services of Facebook, an online social network, in the European Union (EU). It is the controller of the personal data of Facebook users in the EU, i.e. the legal person which determines the purposes and means of the processing of personal data.
Meta promotes, inter alia, services that as from 6 November 2023 continue to be free only for users who have consented to their personal data being collected and used for directing personalised advertising at them. Users also have the option of signing up for a paying subscription to access a version Facebook’s services without receiving personalised advertising.
Mr Maximilian Schrems, a Facebook user, did not give consent to Meta to process his personal data received by it from advertisers and other partners concerning Mr Schrems’ activities outside Facebook for the purpose of personalised advertising. All these data were used by that company to improve Facebook’s products and direct personalised advertising at Mr Schrems relating to his sexual orientation or political belief.
So how did Meta and Facebook collect the data relating to Mr Schrems? Certain data relating to Mr Schrems were received by Meta using cookies, social plug-ins and comparable technologies integrated into third-party websites. Meta can ascertain the source of visits through cookies. Moreover, Facebook’s social plug-ins are ‘embedded’ by third-party website operators into their pages, including the Facebook ‘like’ button. Each time such websites containing the ‘like’ button are visited, “the cookies stored on the device being used, the URL of the page visited and various log data, including IP addresses and time data, are transmitted to Meta. It is not necessary for the user to click on the ‘like’ button, since merely loading a page with such a plug-in is sufficient for those data to be transmitted to Meta.” According to the judgment, plug-ins are also found on websites of political parties and the websites targeted at homosexual users visited by Mr Schrems. Using those plug-ins, Meta was able to follow Mr Schrems’ internet behaviour, which triggered the collection of certain sensitive personal data. Similarly to social plug-ins, pixels can be embedded in websites and enable information to be collected about users who have visited those websites in order to measure and optimise advertising. Therefore, social plug-ins and pixels with cookies constitute an essential element of internet advertising, especially considering that a majority of content available on the internet is financed through advertising.
Mr Schrems did not post any sensitive data on his Facebook profile, including his sexual orientation, and he never indicated his sexual orientation on his Facebook profile. However, Mr Schrems had disclosed that he is homosexual to the public during a panel discussion which took place in Vienna in February 2019.
Mr Schrems argued before the Austrian courts that the processing of his personal data by Meta infringed several provisions of the GDPR. Mr Schrems submitted that his consent to the terms of use of Facebook did not comply with various provisions of the GDPR. The Austrian Supreme Court requested from the CJEU to interpret the GDPR’s provisions under 4 preliminary questions, 2 of which were later withdrawn.
Legal Questions
Is data minimisation under the GDPR, i.e. personal data processing being adequate, relevant and limited to what is necessary in relation to the purposes for which the data are being processed, to be interpreted as meaning that all personal data held by a platform, such as Facebook, be aggregated, analysed and processed for the purposes of targeted advertising without restriction as to time or type of data?
Does a statement made by a person about his or her own sexual orientation for the purposes of a panel discussion give permission to the processing of other data concerning sexual orientation with a view to aggregating and analysing the data for the purposes of personalised advertising under the GDPR?
Essentially, did Mr Schrems by manifestly making sensitive personal data about himself public give his consent to the processing thereof under the GDPR?
The EU Court of Justice’s Answers
Data minimisation under the GDPR must be interpreted as precluding the personal data obtained by a controller, such as the operator of an online social network platform, from the data subject or third parties and collected either on or outside that platform, from being aggregated, analysed and processed for the purposes of targeted advertising without restriction as to time and without distinction as to type of data.
Moreover, the fact that a person has made a statement about his or her sexual orientation on the occasion of a panel discussion open to the public does not authorise the operator of an online social network platform to process other data relating to that person’s sexual orientation, obtained, as the case may be, outside that platform using partner third-party websites and apps, with a view to aggregating and analysing those data, in order to offer that person personalised advertising.
Conclusion
A statement made about a person’s sexual orientation during a public panel discussion does not authorise the operator of an online social network platform, including Meta, to process other data relating to the person’s sexual orientation. The judgment’s importance lies in the fact that Meta, and other online advertisement companies, will have to limit the data it uses for advertising purposes. Despite Meta using all personal data it has been collecting through the means described above, it will now have to abide by the ‘data minimisation’ principle included in the GDPR. Following this judgment, only a small part of Meta’s large data pool will be allowed to be used for advertising, even when users consent to ads.
Our website will provide you with an overview of our services and the advice we provide. If you would like further information about how we can assist you, please contact us.
Call: +357 22 777000 | Email: info@chrysostomides.com.cy