A recent ruling by the Court of Justice for the European Union (CJEU) has provided important clarification on whether social media platforms such as Facebook can use personal data obtained outside of the platform for personalised ads.
The court’s ruling means that an online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, in a generalised manner as to the type of data collected and processed and without restriction on the time period for the collection and storage of that data.
The ruling provides important guidance for social media platforms to comply with the EU’s data protection law when they collect and process sensitive personal data for personalised advertising, especially if the data is collected from outside of the platform such as third-party websites and when the data subject has made that sensitive personal data public.
The case was brought by privacy campaigner Max Schrems, who complained that Facebook misused his personal data about his sexual orientation to target ads at him. He alleged that the social network company collected personal data about him, including sensitive information like his sexual orientation, outside of the platform, and used the data to direct targeted advertising at him without his consent.
Schrems said that he did not mention his sexual orientation on the social media platform, but disclosed it on a public panel discussion. The panel discussion was streamed and a recording of it was published as a podcast and on YouTube. According to Facebook’s terms of use and policies on use of data and cookies, the operator of the platform Meta Platforms Ireland collects personal data of its users, such as those users’ activities both on and outside of the social network. They include data relating to online platform visits and data on user interaction with third-party websites and apps, tracked through technologies such as cookies, social plug-ins and pixels embedded on these websites. Schrems argued that the processing of his personal data about sexual orientation by Meta infringed a number of provisions of the General Data Protection Regulation (GDPR).
However, Meta contended that Schrems’s personal data was processed in accordance with the terms of use of Facebook, which are compatible with the requirements of the GDPR. Meta argued that the processing was lawful given the necessity of that processing for the purpose of the performance of the contract, including generating income through targeted advertising to offer services to its users free of charge, and the contract was concluded by Schrems who is a user of the online platform.
Schrems first brought the claim in 2020 before the Austrian courts, but the Supreme Court of Austria has referred the case to the CJEU to interpret how parts of the GDPR apply to this case. It asked the EU’s top court whether speaking about his sexuality in a public setting meant that Schrems gave social media companies the permission to process this data for personalised advertising.
The CJEU ruled that the principle of data minimisation provided for by the GDPR means an online social network such as Facebook cannot use all of the personal data obtained, either on or outside that platform, for the purpose of targeted advertising “without restriction as to time and without distinction as to type of data”.
The court explained that processing personal data for personalised ads may be permitted if the controller can demonstrate that the use is proportionate and can meet regulatory requirements, such as that personal data is collected and processed lawfully, fairly and in a transparent manner in relation to the data subject; the controller limits the period of the collection of the personal data in question to what is strictly necessary in the light of the objective of the processing; and the personal data are kept only for as long as is necessary for the specific purposes of the collection and processing.
“In any event, the storage of the personal data of the users of a social network platform for an unlimited period for the purpose of targeted advertising must be considered to be a disproportionate interference in the rights guaranteed to those users by the GDPR,” said the court.
It gave further guidance, saying that the indiscriminate use of all of the personal data held by a social network platform for advertising purposes, irrespective of the level of sensitivity of the data, is also not proportionate.
Under EU data protection law, data relating to someone’s sexual orientation, political affiliations, race, ethnicity or health status is categorised as sensitive and is generally prohibited for processing, but there are limited exceptions. One scenario in which the processing of sensitive data is permitted is if the data subject has manifestly made public sensitive personal data, such as sexual orientation, according to the court.
The CJEU found that it is possible that Schrems’ statement during the panel discussion in question means he had manifestly made his sexual orientation public. But it is for the Supreme Court of Austria to verify based on facts.
The court said that although the consequence of the fact that a data subject has manifestly made public his or her sexual orientation is that that data may be processed in compliance with the GDPR, that fact alone does not authorise the processing of other personal data relating to that data subject’s sexual orientation.
The case will return to Austria’s Supreme Court, which is bound by the CJEU’s judgment.