The Schrems Saga continues with the recent judgement (hereinafter, the “Judgment”) of the Court of Justice of the European Union (“CJEU”) in the case entitled Maximillian Schrems vs. Meta Platforms Ireland Ltd, formerly Facebook Ireland Ltd.[i] The Judgement delves into the handling by social media platforms of off-platform data for the purpose of online personalized advertising, as well as the strict limitations imposed by the GDPR when it comes to processing of sensitive personal data, including sexual orientation.
This article explores the Judgment’s implications on the digital marketing operations of social media platforms as well as the possible limitations on the use of artificial intelligence in the collection and processing of sensitive personal data.
The CJEU’s latest Schrems Judgement
a. Background
At the heart of the case is the collection by Meta Platforms Ireland Ltd, formerly Facebook Ireland Ltd (“Meta”) of data relating to users’ activities outside Facebook, through the use of cookies, social plug-ins, pixels and comparable technologies integrated into third-party websites. Meta utilized the collected data to identify users’ interests in sensitive topics, such as health, sexual orientation, ethnic groups, and political parties, and Meta was consequently able to direct targeted advertising at the users relating to these topics.
Maximilian Schrems (“Schrems”) claimed that he never consented to the processing by Meta of his personal data concerning activities outside Facebook for the purpose of personalized advertising. Schrems nonetheless received advertisements which, among others, targeted homosexual persons (which was based on Meta’s analysis of the interests of Schrems and his friends). Schrems did not disclose his sexual orientation on his Facebook profile, although he publicly revealed that he is a homosexual during a panel discussion in Vienna.
By way of response, Meta argued that Schrems’ personal data was processed in accordance with the terms of use to which Schrems agreed when he created his account.
b. The Principle of Data Minimization
The CJEU concluded that Meta as a data controller is precluded from aggregating, analysing and/or processing data obtained from either on or outside Facebook for the purposes of targeted advertising without restriction as to time and without distinction as to type of data. Under the principle of data minimization as enshrined in Article 5(1)(c) of the GDPR,[ii] personal data must be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’. Controllers must also limit the period of collection of the personal data to what is strictly necessary in the light of the objective of the envisaged processing, since prolonging the storage period of those data would increase its impact on the interests and private life of the data subject.
Meta collects the personal data of Facebook users, including Schrems, concerning those users’ activities both on and outside Facebook, including data relating to online platform visits and third-party websites and apps. Meta also follows users’ navigation patterns on those sites through the use of social plug-ins and pixels embedded in the relevant websites.
Accordingly, Meta processes potentially unlimited data which can significantly impact the user, as it may give rise to the feeling that his or her private life is being continuously monitored. The CJEU concluded, subject to verification by the national courts, that Meta’s extensive processing of personal data does not appear to be reasonably justified, and may therefore constitute a serious interference with the fundamental rights of the data subjects, in particular their right to respect for their private life and the protection of personal data guaranteed by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.
c. Limitations on Use of Off-Platform Sensitive Personal Data
The CJEU also discussed Meta’s use of off-platform data relating to Schrems’ sexual orientation. Under Article 9(1) of the GDPR, the processing of special categories of personal data, which includes sex life or sexual orientation, is prohibited. This prohibition does not apply in, inter alia, a scenario where the personal data were “manifestly made public by the data subject” as provided in Article 9(2)(e) of the GDPR.
The CJEU found, subject to verification, that Schrems’ disclosure of his sexual orientation during a public panel discussion in Viena has the effect of manifestly making his sexual orientation a public data, and consequently rendering the same as a derogation from the prohibition laid down in Article 9(1) of the GDPR. However, that fact alone does not authorize Meta to process other personal data of Schrems relating to his sexual orientation. It would be contrary to the restrictive interpretation of Article 9(2)(e) of the GDPR to find that all data relating to Schrems’ sexual orientation fall outside the scope of protection under Article 9(1) thereof solely because the data subject has manifestly made public personal data relating to Schrems’ sexual orientation.
Impact of the latest Schrems Judgment.
a. Impact on Digital Marketing
This case holds potential implications on digital marketing operations of social media platforms, particularly on the use of cookies, plug-in, pixels and similar mechanisms. One of the best-known pixel is the Meta Pixel which was partially discussed in the CJEU’s Judgement. However, pixels are also being used by other social media platforms such as Twitter, TikTok, LinkedIn, Pinterest and Snapchat.[iii]
As found by the CJEU, social plug-ins and pixels, together with cookies, constitute an essential element of internet advertising, as they allow for advertisements to be tailored to users, while also allowing advertisers to obtain information about targeted user groups. These mechanisms also allow social media platforms to collect the personal data of its users concerning activities outside its platform. [iv]
The CJEU has made it clear that the indiscriminate processing of these off-platform data may violate the GDPR, including the principle of data minimization, if such processing is devoid of restrictions as to time and type of data. While the use of cookies, plug-ins and pixels were not prohibited by the CJEU, the Judgement nonetheless serves as a reminder to social media platforms, including Facebook, about the legal limits on data processing, underscoring that commercial interests of both platforms and advertisers do not enjoy priority over data protection rights. Companies need to continually assess their data collection practices, particularly for off-platform data, moving towards narrower, purpose-specific data processing strategies that comply with GDPR standards. Said strategies may include obtaining separate express consent for collection of outside data, more robust data retention policies, and stricter criterion for selection of off-platform data that may be used for targeted advertising purposes.
b. Processing of sensitive personal data
Social media platforms need to be cautious about the use of sensitive personal data, including sexual orientation, collected from third-party website, keeping into mind that the processing of sensitive personal data is prohibited unless it falls under the derogation provided in the GDPR. The CJEU ruled that even if an individual discloses sensitive information, such as sexual orientation, in a public forum, this does not grant social media platforms a blanket right to aggregate or analyze further sensitive data about that individual from other sources.
The Judgement therefore highlights the stringent approach of the GDPR when it comes to sensitive personal data as emphasized in Recital 51 thereof. The mere rendering of personal data as public does not grant an unbridled license to controllers for the indiscriminate processing of personal data, as GDPR’s protective principles will still apply.
Given the foregoing, a question arises about whether or not more advanced processing and collection devices and strategies, including the use of artificial intelligence (AI), may be employed by social media platforms with respect to sensitive personal data. AI algorithms are often designed to aggregate vast amounts of data from various sources, including a myriad of third-party websites, to obtain information about the behaviors, preferences and lifestyles of data subjects.[v]
To complicate matters, AI can generate “inferred data” by analyzing patterns across seemingly non-sensitive data points, ultimately inferring sensitive information, such as an individual’s sexual orientation. This inferential capability allows AI to uncover information beyond what data subject have explicitly disclosed within a given platform, such as in the case of Schrems.
The use of AI in processing sensitive data may therefore prove to be a difficult endeavor for social media platforms in the context of processing sensitive personal information, as it will be difficult to restrict AI’s scope. Verily, under the standards explained by the CJEU in the Judgement, the unrestricted access to external data sources can lead to unintended violations of the GDPR, unless mechanisms are in to ensure that that processing of any sensitive personal data has lawful basis, and that principles of data minimization and proportionality are followed.
Conclusion
The recent Schrems v. Meta case underscores the importance of compliance by social media networks with GDPR’s principles of data minimization, placing substantial limitations on digital platforms’ use of personal data for targeted advertising and other commercial purposes.
However, the ruling exposes challenges in the implementation of GDPR’s data protection framework in relation to the reliance by social media platforms on data from outside its network. Accordingly, social media platforms including Meta need to reevaluate their data processing practices, and it will be interesting to see how these big companies respond, if at all, to the limitations reiterated by the CJEU in this ruling.
[i] Case C-446/21.
[ii] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[iii] https://digitalculturenetwork.org.uk/knowledge/whats-a-social-media-pixel-and-what-do-they-do/#:~:text=Social%20media%20tracking%20pixels%20allow%20marketers%20to%20retarget%20users%20with,similar%20content%20in%20the%20future.
[iv] Paragraph 19 of the Judgement.
[v] De Gregorio G., Digital Constitutionalism in Europe. Reframing Rights and Powers in the Algorithmic Society (Cambridge University Press 2022), p. 230.
