Law report: Data protection and targeted online advertising

On 4 October 2024, the Court of Justice of the European Union ("CJEU"), in delivering a preliminary ruling in the name of Maximilian Schrems v. Meta Platforms Ireland Ltd (C-446/21), provided critical guidance on the application of the General Data Protection Regulation (the "GDPR") to personalised advertising practices on online platforms like Meta Platforms Ireland (formerly Facebook Ireland). The case was referred by the Austrian Supreme Court and it centered on the lawful limits of data processing, particularly regarding data minimisation, purpose limitation and the handling of sensitive personal data. This judgement is a significant development in balancing data protection rights against the business models of social media companies.

Background and context

The case stemmed from a dispute between Maximilian Schrems and Meta Platforms Ireland concerning Meta's processing of Mr. Schrems' sensitive personal data. Meta collects personal data from Facebook users both on its network and outside it, including through other Meta-owned platforms, third-party websites, and apps. During a public panel discussion, Mr. Schrems disclosed his sexual orientation, which Meta later used to infer his interests in sensitive topics, including his sexual orientation. This information was leveraged for targeted advertising purposes.

Mr. Schrems reported receiving advertisements on Facebook directed at homosexual individuals and invitations to related events, despite never expressing interest in such events or explicitly stating his sexual orientation on his Facebook profile. He sought to have Meta stop processing his personal data for personalised advertising and requested that it refrains from using data obtained through third-party websites and platforms.

Schrems argued that Meta's targeted advertising practices violated GDPR principles, asserting that the company's methods of collecting and processing personal data, particularly sensitive data, breached GDPR requirements for lawful processing, transparency, and user consent. He contended that Meta collected data through cookies, social plugins, and third-party integrations without valid consent. Additionally, he alleged that Meta processed sensitive information, such as his sexual orientation, derived from third-party sources, without explicit authorisation, to enhance its products and deliver personalised advertisements.

Meta countered by asserting that its data processing was necessary for the performance of its user contracts, as permitted under Article 6(1)(b) of GDPR. It also invoked users' implied consent through acceptance of its terms of use.

The Austrian Supreme Court referred two key questions to the CJEU for clarification:

1.         Does GDPR allow platforms like Meta to aggregate, analyse, and process all personal data obtained on or outside the platform for targeted advertising without restrictions on time or data type?

2.         If a user publicly discloses sensitive information (e.g., sexual orientation), does this act authorise the processing of additional related data for targeted advertising?

Key findings and legal analysis

Data minimisation and targeted advertising

The CJEU reaffirmed the principle of data minimisation, as enshrined in Article 5(1)(c) of GDPR, which mandates that personal data be "adequate, relevant, and limited to what is necessary" for the specified purposes. It emphasised the points that data processing must be strictly proportionate to the legitimate aim and that the retention or use of data without clear necessity or time limits violates this principle of data minimisation. The CJEU also explained that the indiscriminate use of data, whether behavioural, demographic or sensitive, for advertising purposes, without appropriate safeguards or time restrictions, is prohibited and that data retention periods, and processing scope must be justified on a case-by-case basis. For example, behavioural data (e.g. tracking users' online activity) was identified as more intrusive than static data (e.g. age or gender). Within behavioural data, tracking passive activities (e.g. visiting a site) was deemed more intrusive than active behaviours (e.g. clicking a button).

The CJEU ruled that aggregating and processing all personal data available across various sources (e.g. third-party websites, cookies) for advertising purposes amounts to a disproportionate interference with users' privacy rights under GDPR. The CJEU's decision reinforced the notion that targeted advertising, which relies heavily on personal data, must comply with GDPR's stringent provisions on consent and transparency. Any personal data used for advertising must be collected with the explicit and informed consent of the individual, and the data usage must be proportionate to the intended outcome. The CJEU ruled that using sensitive personal data for such purposes, especially without proper safeguards or consent, is not permissible.

Retention Periods and Purpose Limitation

This case also addressed the retention period for personal data. While the GDPR does not prescribe a strict retention period, the CJEU emphasised that data controllers must demonstrate that the duration for which data is held aligns with the purpose for its collection. Specifically, personal data processed for advertising purposes must not be kept longer than necessary to achieve the intended objective. This consideration also involved an assessment of whether continued data retention is justified on the legitimate interests of the data controllers, and whether it remains proportionate to the initial purpose of data collection.

Sensitive Data and Public Disclosure

Regarding sensitive data, Article 9 of GDPR generally prohibits the processing of personal data revealing racial or ethnic origin, political opinions or sexual orientation unless specific exemptions apply. One such exemption under Article 9(2)(e) of GDPR permits processing where the data subject has "manifestly made public" such information.

The CJEU clarified a strict interpretation of Article 9. It stated that public disclosure of sensitive data by a user does not grant blanket authorisation for further processing. The exemption applies narrowly and requires explicit intent by the user to make such data accessible to a wide audience. The CJEU emphasised that simply sharing information on a social media platform (e.g. by clicking "Like" or "share") does not, in itself, render that data manifestly public. Schrems' statement about his sexual orientation during a public panel discussion did not extend to Meta's use of related data inferred from third-party sources or analytics. The court held that such secondary processing would contravene GDPR's protective provisions.

Implications of the ruling

This CJEU preliminary ruling has far-reaching implications for the digital economy and the operation of online platforms. Firstly, it imposes stricter accountability requirements on platforms. Social media companies must critically reassess their data processing practices to ensure full compliance with GDPR principles. Automated profiling and behavioural tracking for advertising purposes must pass rigorous tests for proportionality and necessity, requiring platforms to demonstrate that their data collection and use are limited to what is strictly required for specified purposes.

Secondly, the ruling strengthens users' ability to challenge invasive data practices. It reinforces their fundamental rights to privacy and data protection, particularly concerning sensitive information. This empowers individuals to hold platforms accountable for unlawful data processing and increases transparency in how their data is used.

Lastly, the judgment pushes platforms towards adjusting their business models. Those reliant on advertising revenue may need to explore alternatives, such as explicit opt-in mechanisms for data processing or subscription-based services, to align their operations with GDPR standards. This shift could lead to more user-centric approaches that prioritise privacy while maintaining compliance with EU regulations.

Conclusion

This CJEU case underscores the growing regulatory scrutiny over data processing in the digital economy. The court's decision strikes a critical balance between the operational needs of social media platforms and the fundamental rights of users under GDPR. It serves as a landmark precedent for data protection enforcement across the EU and highlights the importance of transparency, proportionality and accountability in digital advertising practices.

This judgement surely reinforces the EU's commitment to upholding individual privacy rights while setting a high standard for lawful data processing practices.

Ria Micallef is an Associate within the Investment Services and Funds team at Ganado Advocates.

Disclaimer: Ganado Advocates is responsible for contributing to this law report but was not in any way involved as legal advisor for the parties in the judgement being covered in this law report.