Non-compliant consent: Schrems v Meta

On 4 October 2024 the CJEU issued its judgment involving Mr Maximilian Schrems against Meta Platforms Ireland Ltd (Meta) regarding the processing of sensitive data under the GDPR.

The CJEU's judgment follows our previous publication highlighting the proposed "Consent or Pay/Pay or Okay" models that have recently become more prominent. For more information, see what we had to say here.

Meta, which manages the provision of services of the online social network Facebook in the European Union, is the controller of the personal data of users of that social network in the European Union. Meta promoted services which were provided free of charge to private users however this changed on 5 November 2023. Thereafter, on 6 November 2023 users of the platform were only granted access free of charge if they had consented to their personal data being collected and used for the purposes of direct personal advertising. Users of the platform were able to sign up to a paying subscription model to circumvent providing consent to direct advertising and which provided users the same services but without personalised advertising.

Mr Schrems did not provide Meta with consent to process his personal data for the purposes of direct advertising nor did he provide it to other platform partners outside of Meta's Facebook. However, Meta was still able to, and did, promote personalised advertising towards Mr Schrems concerning his sexual orientation or political beliefs.

How? The CJEU's judgment tells us that Meta used:

"‘cookies’, ‘social plug-ins’ and ‘pixels’, as indicated by its terms of use and policies. It can ascertain the source of visits by means of cookies. Many of Meta Platforms Ireland’s services cannot be used without activating the cookie function. Facebook’s social plug-ins are ‘embedded’ by third-party website operators into their pages. The most widely used is Facebook’s ‘like’ button. Each time such websites containing that button are visited, the cookies stored on the device being used, the URL of the page visited and various log data (e.g. IP addresses, time data) are transmitted to Meta Platforms Ireland. In that respect, it is not necessary that the user has clicked on the ‘like’ button, since merely loading a page with such a plug-in is sufficient for those data to be transmitted to Meta Platforms Ireland."

Using those plug-ins, Meta had been able to follow Mr Schrems’ internet behaviour, which triggered the collection of certain sensitive personal data. Mr Schrems had not disclosed on Meta's Facebook his sexual orientation. However, Mr Schrems disclosed his sexual orientation in public and in particular, on the occasion of a panel discussion. It was also acknowledged that Meta was already processing Mr Schrem's personal data concerning his sexual orientation prior to his comments raised at the public panel. Meta had subsequently collated and processed Mr Schrems' personal data outside of the Facebook platform using partner third-party websites and apps, with a view to aggregating and analysing those data, in order to offer Mr Schrems' personalised advertising.

Mr Schrems argued that Meta's processing of his personal data infringed several provisions of the GDPR and that his consent to the terms of use on the social media platform Facebook did not comply with various provisions of the GDPR.

The CJEU held that Meta cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data. The judgment can be broken down in two parts involving firstly, the data minimisation principle and secondly, processing of special categories of personal data which has been manifestly made public.

The CJEU held that Meta had infringed Article 5 of the GDPR (data minimisation) owing to the extensive processing of Mr Schrems' personal data which had been collated over time. The processing of Mr Schrems' personal data was deemed to be extensive since it relates to potentially unlimited data and has a significant impact on Mr Schrems as a large part – if not almost all – of his online activities are monitored by Meta, which may give rise to the feeling that his private life is being continuously monitored. Meta's processing was characterised as disproportionate and a serious interference with the fundamental rights of the Mr Schrems' which could not be reasonably justified to merely carry out targeted advertising.

Secondly, the CJEU held that Meta infringed Article 9(2)(e), relating to the processing of Mr Schrems' personal data which had been made public by Mr Schrems himself. The CJEU stated that just because Mr Schrems' has manifestly made public information concerning his sexual orientation does not mean that he has given his consent within the meaning of Article 9(2)(a) of the GDPR to processing of other data relating to his sexual orientation by the Meta. Although Mr Schrems' had made a public statement which is not disputed, it could not be inferred that he had provided explicit consent to Meta for the processing of his personal data nor could it be argued it was for a specific purpose, given Meta's collation and aggregation of Mr Schrems' personal data. 

What does this mean?

Data minimisation is at the forefront of this judgment, and it is a stinging reminder that data aggregation across various platforms (whether owned or not by one or more entity) is not an appropriate use of data collection for the purposes of direct marketing. The data processed should be adequately, relevant and limited to what it is necessary and consent of the terms of use for one purpose does not grant access to aggregation across different vendors to provide direct marketing to data subjects.

Equally, where personal data is scraped from plug-ins available to organisations from third party websites and apps are utilised for targeted marketing purposes this will attach greater scrutiny when considering the data minimisation principle. It should not be assumed that all information gathered can remain indefinitely and that the scope for personal data via these methods is unlimited given the heavy and disproportionate interference to data subjects' fundamental rights.

Reliance on statements which are manifestly made public by data subjects' when carrying out processing of data subjects' personal data for targeted marketing carries a high risk of infringing Article 9. The reason behind this is that it is unlikely to be interpreted that data subjects' have provided explicit consent to a specific purpose(s) and where these statements are made further in the past, this only increases the risk.

The judgment can be found here.

No appropriate lawful basis identified: Irish Data Protection Commission fines LinkedIn Ireland €310 million

On 24 October 2024, the DPC announced its final decision following its inquiry into LinkedIn Ireland Unlimited Company (LinkedIn) concerning the processing of personal data. The DPC have, as a result of its findings, fined LinkedIn €310 million for its infringements of the GDPR.

The - DPC initiated its investigation into LinkedIn following a complaint based inquiry on 20 August 2018 from the La Quadrature Du Net. The complaint was initially made to the French Data Protection Authority however was provided to DPC in its role as the lead supervisory authority for LinkedIn, which acts as the controller for the processing of personal data.

LinkedIn had processed personal data for the purposes of behavioural analysis and targeted advertising of its platform users who had created profiles. The issue at hand centred around the lawfulness, fairness and transparency of LinkedIn's processing of personal data. Specifically:

1. Articles 6 and 5(1)(a) GDPR - Consent, legitimate interests and contractual necessity;
2. Articles 13()1)(c) and 14(1)(c) GDPR – Lawful basis; and
3. Article 5(1)(a) GDPR – Fairness.

The DPC noted in its decision that LinkedIn could not validly relied on its users consent as it was “not freely given, sufficiently informed or specific, or unambiguous”. Equally, the DPC found that LinkedIn had no grounds to rely on the legal basis of contractual necessity "as LinkedIn’s interests were overridden by the interests and fundamental rights and freedoms of data subjects". Adding to the reasons provided, LinkedIn was found to have infringed the principle of fairness under Article 5(1)(a) GDPR which confirms that LinkedIn should have processed users data lawfully, fairly and in a transparent manner in relation to the data subject.

As a result of LinkedIn's infringements, the DPC:

1. Issued a reprimand;
2. Issued three administrative fines totalling €310 million; and
3. Ordered LinkedIn to bring its processing into compliance with the GDPR.

What does this mean?

The DPC's decision highlights the significance for data controllers to ensure that they have a water-tight and unambiguous lawful basis for processing data if they are carrying out behavioural analysis or targeted advertising. The lawful basis should be easily accessible by users, contained in privacy notices/policies and presented in plain English, avoiding technical and legal jargon or bundling various consents.

The full decision is yet to be published, however for more information please see here.

Scope of "legitimate interests": Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Persoonsgegevens

The CJEU on 4 October 2024 handed down its judgment clarifying the scope of "legitimate interests" under the Article 6(1)(f) of the GDPR. The focus of the dispute and subsequent ruling was whether a "legitimate interest" could be interpreted to encompass purely commercial interests when processing personal data in certain circumstances.

Koninklijke Nederlandse Lawn Tennisbond (KNLT) disclosed personal data of its members to two of its sponsors, namely to SportshopsDirect BV (TennisDirect), a company that sells sports products, and Nederlandse Loterij Organisatie BV (NLO), the largest provider of games of chance and casino games in the Netherlands.

It was accepted between all parties that KNLT had not sought consent from individual members and instead relied on the basis of a legitimate interest. KNLT submitted that that interest consists in creating a strong link between that association and its members and in being able to provide added value to their membership in the form of discounts and offers from partners enabling those members to play tennis at an affordable and accessible price.

KNLT's submissions were therefore based on the argument that a commercial interest was capable of being a legitimate interest, subject to it not being contrary to the law.

The CJEU held that for the purposes of Article 6(1)(f) of the GDPR that:

1. The processing of personal data which consists in the disclosure, for consideration, of personal data of the members of a sports federation, in order to satisfy a commercial interest of the controller, may be regarded as necessary for the purposes of the legitimate interests pursued by that controller;
2. This is only possible if that processing is strictly necessary for the purposes of the legitimate interest in question and if the interests or fundamental rights and freedoms of the members do not override that legitimate interest; and
3. While Art. 6(1)(f) GDPR does not require that such an interest be determined by law, it requires that the alleged legitimate interest be lawful.

Following this judgment, the EDPB adopted new guidelines regarding the use of the 'legitimate interests' basis for processing personal data (Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR (Guidelines)).

The EDPB states that the "open-ended nature of Article 6(1)(f) GDPR8 does not necessarily mean that this legal basis should be seen as one that can only be used as a “last resort” in rare and unforeseen situations, or that Article 6(1)(f) should be seen as a last option if no other legal bases apply". Moreover, the Guidelines provide clarity on the relationship between legitimate interests and data subject rights.

The EDPB has welcomed comments via public consultation on the Guidelines until 20 November 2024. Read more here.

Why is this decision important?

The CJEU's ruling provides businesses with an avenue to rely on 'commercial interests' as a legitimate interest for the purposes of processing personal data. However, the ability to do so and circumstances which may give rise to its reliance are narrow in scope and heavily subjective.

Importantly, where a business is able to rely on the legitimate interest of consent (i.e. for a small pool of data subjects') this may be indicative that the second limb of the test of necessity is not met and therefore unable to rely on the 'commercial interests' basis. Correspondingly, where the sole motivation is some monetary reward, income or benefit in kind with no intrinsic link between the business and data subjects, it is again unlikely to be sufficient to demonstrate a 'commercial interest' compliant with the GDPR.

Although the UK has since left the EU and is no longer a member, the CJEU's judgment remains of critical focus for businesses as the obligations contained in Article 6(1)(f) of the UK GDPR are the same as the GDPR. The judgment has no binding authority and therefore UK courts are not required to follow the decision, however it is highly likely that the UK courts will take the decision into consideration when making any future rulings on similar matters. Equally, this applies to the Information Commissioner's Office (ICO) and may bear weight when the ICO considers any enforcement action or subsequent policy amendments.

The judgment can be found here.