Privacy & Information Security Law Blog

On October 4, 2024, the Court of Justice of the European Union (“CJEU”) issued its judgment in case C‑446/21. In this judgment, the CJEU had been called upon to assess whether the GDPR imposes limits on Meta Platforms Ireland’s (“Meta”) use of personal data collected outside of the Facebook social network (off-Facebook data) for advertising purposes.

Background

The case arises from a request for a CJEU preliminary ruling by the Austrian Supreme Court following a civil lawsuit filed by a data subject against Meta. The data subject argued, among other things, that Meta was processing sensitive data, particularly data related to political beliefs and sexual orientation collected outside Facebook for the purpose of personalized advertising without an appropriate legal basis.

The CJEU’s Decision

The CJEU clarified that “storage of the personal data of the users of a social network platform for an unlimited period for the purpose of targeted advertising must be considered to be a disproportionate interference in the rights guaranteed to those users by the GDPR” and is incompatible, in particular, with the rules on storage limitation under the GDPR.

Additionally, not all data can be used for the purposes of personalized advertising, according to the Court. The CJEU considers that the simultaneous collection of the activity of a user both within and outside of the social network is a particularly intrusive type of processing. As such, the decision concludes that “the indiscriminate use of all of the personal data held by a social network platform for advertising purposes, irrespective of the level of sensitivity of the data, does not appear to be a proportionate interference with the rights guaranteed by the GDPR to users of that platform.”

Lastly, on the issue of whether the data subject had made his sexual orientation manifestly public, the CJEU considered that it cannot be excluded that this is the case, based on the fact that the information had been disclosed in a public panel discussion, which was then made available online. However, this cannot be seen, by itself, as authorizing the social network to use this information for advertising purposes.