Schrems v. Meta: Grip on sensitive data and flawed bases

Why Schrems III?

Austrian Max Schrems has been litigating for years against the platform Facebook and its parent company Meta. This is because he believes Meta has too much power and also processes too much data. Among other things, Schrems is known as co-founder of the non-profit organization NOYB (none of your business); which organization works to protect the rights of data subjects under the AVG.[1] The Schrems I and Schrems II cases caused the invalidation of first the Safe Harbor construct and later the Privacy Shield construct, which were used to provide a level of protection of personal data comparable to the AVG in exchanges to the United States. Last Oct. 4, the Court of Justice of the European Union ("CJEU") again considered a case brought by Schrems; this time concerning Meta's collection of special personal data and targeting of advertisements thereon. The question in this case is whether Schrems apparently disclosed special personal data itself, which would have allowed Meta to lawfully obtain this data and thus use it for its own advertising purposes.

The AVG, how do you do it right?

The AVG provides standards for establishing lawful processing of personal data. For example, personal data may only be processed for a predetermined purpose with a processing basis. Also, no more personal data may ever be processed than necessary and such data may never be kept longer than necessary. Moreover, processing must be proportionate; the infringement on the rights and freedoms of individuals must not be disproportionate in relation to the purpose of the processing controller.

Thus, in order to process data in a lawful manner, there must first be a processing basis. Article 6 of the AVG contains these bases, of which 'consent' (Article 6 (1) under a AVG) is the most well-known. In addition, 'performance of an agreement' (Article 6 (1) under b AVG) is an important basis. An example of consent is the taking of photos in which data subjects are recognizably portrayed during an event and an example of performance of an agreement is the processing of address data in order to send an invoice to a data subject for a product purchased on a website.

In addition to having a processing purpose, the principles governing the processing of personal data must be observed. These principles apply cumulatively. Data minimization or the principle of minimal data processing is an obligation, contained in Article 5(1)(C) of the AVG. This obligation means that personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. Think of processing a customer's date of birth. If a customer wants to buy a bunch of flowers for a friend on a website, processing the customer's date of birth is not strictly necessary. It is different when, for example, the customer wants to buy an age-related product such as a bottle of wine.[2]

The processing of special personal data within the meaning of Article 9 AVG (and Section 3.1 of the AVG Implementation Act) is in principle prohibited. Should it nevertheless be necessary to process such special personal data, the requirements for lawful processing are considerably stricter. Special personal data are data relating, for example, to race, ethnic origin, health data, political opinions, religious beliefs, genetic and biometric data and data relating to a person's sexual orientation.

However, there are exceptions to this prohibition, which are laid down in Article 9 paragraph 2 AVG and Article 22 paragraph 2 of the AVG Implementation Act. For example, processing of special personal data is still allowed when these personal data have apparently been made public by the person concerned. This does require an explicit, unambiguous and active act of the data subject. Data is therefore, for example, not manifestly disclosed by a data subject when the data subject merely visits a website.[3]

What lies ahead?

Meta processes personal data of residents of the European Union. From November 6, 2023, Meta's services will be free to use only for data subjects who consent to their personal data being used to, among other things, target personalized advertising to them. For users who do not consent to this, there is the possibility to access Meta without their data being used for personalized advertising for a fee.[4] This follows an earlier ruling by the German market regulator against Meta, which made mincemeat of legitimate interest as the basis for processing.[5]

It is unknown to anyone that Meta makes money by selling personal data. The process is set up as follows: first of all, Meta uses cookies, social plug-ins and pixels, for example, in the form of the well-known "like" button,[6] to collect all kinds of data from Internet users. This data is used to build a profile of the individuals involved. Then this profile is sold in real time to the advertiser with the highest bid. A profile of Schrems could also be built up in this way, also collecting special personal data. [7]

Schrems states that he has not given Meta permission to process his personal data on activities outside Meta for the purpose of displaying personalized advertising. In addition, Schrems has not listed any special personal data on his Facebook profile. Also, only his friends can view activities or information on his timeline and his list of friends is not set to public.[8]

Yet Meta appears to have a lot of data and precisely the sexual preference data. Apparently, in defiance of the profile settings, Meta did apply tracking methodologies. Namely, Meta can determine Schrems' interest in sensitive topics such as sexual orientation, allowing Meta to suggest targeted advertising to Schrems. This is what Meta did: it is well established that Schrems regularly received ads targeted at homosexuals. These ads did not directly target Schrems' sexual orientation, but rather an analysis of interests. In this case, one of Schrems' friends allegedly clicked on the "like" button of a particular product, from which Meta could apparently draw conclusions about Schrems' sexual orientation.[9]

It is important to note that Schrems publicly communicates about being gay. However, he has never mentioned this on Facebook.[10] It is therefore very noteworthy that Meta has such special personal data at his disposal because he was nevertheless shown advertisements aimed at a homosexual audience.

Schrems states that he never gave his consent to the processing of the above data, nor is there any basis for this in the execution of the agreement with Meta. According to Meta, however, the processing of these data is necessary for the purpose of executing the agreement concluded with Schrems.[11] In addition, Meta prefers to keep this data as long as possible. Meta also argues that Schrems apparently disclosed his sexual orientation himself.

The question in this litigation is how to interpret the principle of minimal data processing. May Meta aggregate, analyze and process all personal data in its possession, including personal data obtained from third-party sites, for the purpose of targeted advertising? And may it do so without any limitation as to the duration or nature of the data?[12] If all this is allowed, it would mean that social media platforms, which already have very large amounts of personal data at their disposal anyway, would be allowed to use each of those individual personal data uninhibitedly for marketing purposes. This seems to me to be an undesirable situation since targeted advertising is very much used nowadays.

What does the CJEU think?

The CJEU confirms that the principles in Article 5 of the AVG apply cumulatively.[13] Having regard to the principle of minimum data processing, the controller is obliged to limit the period during which data are processed to what is strictly necessary for the purpose of the processing in question.[14] In fact, a processing that was initially lawful may no longer be lawful after a period of time. This means that the data must be deleted when the purposes of processing have been achieved.[15]

The CJEU makes it very clear that indefinite retention of a user's data from a social media platform for the purpose of targeted advertising constitutes a disproportionate interference with the rights granted to such users by the AVG.[16] In addition, the Court indicates that the indiscriminate use for advertising purposes of all personal data held by a social media platform, regardless of the sensitivity of such data, also constitutes a disproportionate interference with the rights granted by the AVG to the users of the social media platform.[17]

Given the fact that Schrems spoke out about his sexual orientation during a roundtable discussion open to the public, the Austrian court questions whether Article 9 of the AVG allows an operator of a social media platform to process other data about an individual's sexual orientation obtained outside of that platform from third-party apps and websites, for the purpose of aggregating and analyzing them in order to offer personalized advertising to the individual.[18]

According to the CJEU, special personal data deserve specific protection since the context of their processing may entail significant risks to fundamental rights and freedoms.[19] Before processing special personal data, the operator of a social media platform should consider whether such data may reveal information falling within the categories of Article 9 AVG. This applies regardless of whether the information relates to a user of the social network or another natural person. If this is the case, the processing of these special personal data is in principle prohibited, unless the operator can prove that the data subject expressly intended to make these special personal data accessible to a wide public by means of an unambiguous active act.[20]

In this case, the statement Schrems made about his homosexual orientation was open to a wide audience. The public could purchase a ticket to attend the roundtable discussion in person. The conversation was also broadcast via streaming. In addition, a recording of the conversation was published as a podcast and as video on YouTube.[21] In these circumstances, the CJEU cannot rule out that the statement was an act by which Schrems, with full knowledge of the facts, manifestly disclosed his sexual orientation.[22]

It is not excluded in this case that the data subject has apparently disclosed a piece of data concerning his sexual orientation. If this is indeed the case, this data may be processed by Meta.[23] However, from the fact that the data subject has disclosed such data, it cannot be inferred that this person has also consented within the meaning of the AVG to the processing of other data concerning his sexual orientation by Meta.[24] The processing of these other data therefore does require explicit consent within the meaning of Article 9 (2) under a AVG.

How to move forward?

Two points emerge from this ruling. First, it has become clear that the operator of a social media platform may not simply use all the data it has collected about a data subject in order to provide the data subject with targeted advertising, without limiting the data collection in time or making any distinction in the nature of this data. Indeed, this situation would run counter to the principle of minimum data processing.

In addition, it has become clear that the operator of a social media platform is not allowed to process data other than the data apparently disclosed by the data subject about his sexual orientation. This data was often obtained outside that platform for the sole purpose of offering personalized advertising to the data subject.

With this ruling, the CJEU limits the power of social media platforms such as Meta. It is well known that these platforms can gather an awful lot of information from cookies, plug-ins and pixels, for example.

I agree with this ECJ ruling. Targeted advertising, for example, is known to change the self-image of those subjected to it. For example, people feel, albeit temporarily, more environmentally friendly and are also more likely to tend to buy the advertised product.[25] If social media platforms are allowed to make uninhibited use of special personal data for targeted advertising, while also not being time-bound, they have an enormously valuable tool in their hands that data subjects are unlikely to want. While this ruling does not prohibit targeted advertising completely, it does seem to me to be a step in the right direction.

In my view, the gain of this ruling lies in the fact that we now know that Meta apparently processes special personal data, which can be derived with plug-ins from visiting websites that target visitors with certain political orientations or with a certain sexual orientation. In any case, we know that unless the data subject has apparently disclosed this data, Meta may not process it. This is all the more important in the eye of the Meta v. Bundeskartellamt case, since this ruling decided, among other things, that a commercial interest can constitute a legitimate processing interest only under certain, specific circumstances.[26] This earlier ruling already shows that the power of Meta to sell profiles of Internet users is restricted. For example, it appears that with respect to Internet users who are not logged into Facebook but whose profiles with "ordinary" personal data are nevertheless built up, separate consent must be obtained.[27] The ruling of last October 4 clarifies that the limit for being allowed to process special personal data is even higher.

Now if you yourself want to avoid being tracked and framed just like that, you could take the following actions. For example, as a user of social networks, you can block cookies (entirely or at least third-party cookies) in the browser settings. In addition, it is a good idea to regularly delete all cookies from the browser. It also helps to install anti tracking plugins. A good example is the EFF Privacy Badger.[28] These measures will suffice at least until Schrems brings another case against Meta in the interest of the fundamental rights of Internet users.

[1] 'About us,' NOYB (https://noyb.eu/en/about-us).

[2] "The Avg explained: privacy by design and privacy by default," NLdigital, June 20, 2024 (https://www.nldigital.nl/kennis-producten/de-avg-uitgelegd-privacy-by-design-en-privacy-by-default).

[3] "CJEU issues important rules of thumb on bases and special personal data," Dirkzwager, Sept. 11, 2024 (https://www.dirkzwager.nl/kennis/artikelen/hvjeu-geeft-belangrijke-vuistregels-over-grondslagen-en-bijzondere-persoonsgegevens).

[4] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 11.

[5] ECJ EU 4 July 2023, C-252/21, ECLI:EU:C:2023:537, para. 126.

[6] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 16.

[7] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 17.

[8] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 20-21.

[9] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 22-23.

[10] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 25.

[11] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 26-27.

[12] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 34.

[13] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 47-49.

[14] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 52-53.

[15] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 56.

[16] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 58.

[17] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 64.

[18]ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 66.

[19] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 70.

[20] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 72 & 76-77.

[21] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 78.

[22] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 79.

[23] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 80.

[24] ECJ EU Oct. 4, 2024, C-446/21, ECLI:EU:C:2024:834, para. 82.

[25] "Targeted Ads Don't Just Make You More Likely to Buy - They Can Change How You Think About Yourself," Harvard Business Review, April 4, 2016 (https://hbr.org/2016/04/targeted-ads-dont-just-make-you-more-likely-to-buy-they-can-change-how-you-think-about-yourself).

[26] ECJ EU 4 July 2023, C-252/21, ECLI:EU:C:2023:537, para. 126.

[27] ECJ EU 4 July 2023, C-252/21, ECLI:EU:C:2023:537, para. 151.

[28] Available for download at https://privacybadger.org.