1. Introduction and Context of the Case

This short article analyses the Advocate General (AG) opinion in Maximilian Schrems v Meta Platforms Ireland Limited, formerly Facebook Ireland Limited. This case is related to the interpretation of data minimization principle and purpose limitation principle in case of special categories of personal data processing based on exception of manifestly made public by data subject (Article 9(2)(e) of the GDPR.

Meta Platforms Ireland, the company behind Facebook, operates a social network for sharing content and sells online advertising based on user profiles. In 2018, they presented new terms of service to users in the EU to comply with the GDPR. The applicant, a Facebook user, accepted the new terms but claims to have received targeted advertisements and invitations based on an analysis of his interests, including his sexual orientation. He brought a legal action against Meta Platforms Ireland for the alleged unlawful processing of his personal data. The case has been appealed to the Oberster Gerichtshof (Supreme Court of Austria) which has referred two questions to the Court of Justice of the EU (CJEU) for a preliminary ruling. This preliminary ruling is about the interpretation of GDPR articles related to data minimization and the processing of personal data for personalized advertising as well as the relationship between exceptions to the processing of special categories of personal data processing and purpose limitation principle.

  1. Data Minimization Principle in Behavioral Advertising Context

The AG Opinion provides the interpretation of the concepts of data minimization, temporal restrictions, and limitations on the types of data in the context of personal data processing.

Data minimisation involves the practice of restricting personal data to only what is essential for the intended objectives. The GDPR does not establish a specific timeframe for how long personal data should be retained. However, the AG stated that if the data is no longer needed for its original purposes, the initial lawful processing may become incompatible over time. The permissibility of processing data is determined on an individual basis, with competent authorities having significant discretion on the interpretation of compatibility of the retention of data with the purpose.

The scope of processing personal data for targeted advertising should be limited. The referring court is responsible for evaluating the amount of data processed, taking into account the principle of proportionality. As a guidance to the competent authorities, the AG Opinion distinguishes between 'static' data, such as age or sex, and 'behavioural' data, such as monitoring browsing habits, which is typically more invasive to the rights of the individual whose data is being collected. Additionally, it differentiates between between data gathering associated and active behaviour (such as clicking on a 'Like' button) and passive behaviour (such as visiting a website), which is more invasive for the user. In addition, another distinction is provided on the basis of processsing of personal data on Facebook and external platforms, such as websites, apps, or devices, which tend to be more invasive. This differentiation is established according to the extent to which processing interferes with the rights of the data subject and the national court should assess the specifics of the case at the hand considering the proportionality principle enshrined in the GDPR.

  1. Exceptions to Processing of Special Categories of Data and Its Relation with Purpose Limitation Principle

AG Opinion also provides how the exception of processing of data which manifestly made public by the data subject under Article 9(2) (e) of the GDPR.

The classification of an applicant's statement for the purposes of Article 9(2)(e) of the GDPR requires two conditions: an objective condition that the personal data in question must be manifestly made public and a subjective condition that is the "data subject" who must make those data manifestly public.

In the present case, the applicant's statement may reach an indefinite public due to the open nature of the panel discussion and the public's interest in the subject addressed by the panel. The objective of the protection conferred by Article 9(1) of the GDPR is to prevent the data subject from being exposed to harmful consequences, such as public opprobrium or discriminatory acts, stemming from a negative perception of the situations set out therein. This provision provides for special protection of such personal data through a fundamental prohibition, which is not absolute and subject to the assessment of the data subject.

The AG Opinion discusses the implications of publicizing one's sexual orientation for Meta Platforms Ireland's purposes under Articles 5 and 6 of the GDPR. It is purposed that the data subject's public disclosure of their sexual orientation does not automatically allow processing for all the purposes. Otherwise, the purpose limitation provision lifts the special protection afforded to sensitive personal data, and once waived, the data becomes non-sensitive. These data can only be processed lawfully under specific conditions and compliance with Articles 6 and 7 of the GDPR, including the principle of purpose limitation in Article 5(1)(b). The AG suggests that Article 5(1)(b) of the GDPR, along with Article 9(2)(e) of the GDPR, should be interpreted as meaning that public statements about a person's sexual orientation does not mean processing for aggregating and analyzing data for personalized advertising purposes.

  1. Key Takeaways of the AG Opinion:

Although the AG Opinion is not legally binding, it aligns with the CJEU's established case-law regarding the enhanced safeguarding of special categories of personal data. From a pragmatic standpoint, it is evident that exceptions regarding the processing of personal data in Article 9(2) of the GDPR should be interpreted in a stringent manner. The second message is that relying on these exceptions cannot be solely interpreted in light of Article 9(2) of the GDPR. When relying on exceptions under Article 9(2) of the GDPR, it is important to consider the principles outlined in Article 5 of the GDPR in particular purpose limitation. It means that a data controller may process personal data under the exceptions, provided that it aligns with the principles established in the GDPR.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.