In a long-anticipated judgement, the Court of Justice of the European Union (CJEU) has ruled against Meta Platforms Ireland and Others in Case C-252/21 by clarifying the interpretation of the EU General Data Protection Regulation (GDPR) about whether the social media company can use personal data beyond what is strictly necessary to perform a contract. The ruling will have profound implications for Meta and any other companies seeking to use their dominant position to force users to accept personalised content and targeted behavioural advertising.
The relevant section of the CJEU press release says: "As regards more generally the processing operation carried out by Meta Platforms Ireland, including the processing of ‘non-sensitive’ data, the Court examines next whether this is covered by the justifications, set out in the GDPR, allowing the processing of data carried out in the absence of the data subject’s consent to be made lawful. In that context, it finds that the need for the performance of the contract to which the data subject is party may justify the practice at issue only on condition that the data processing is objectively indispensable such that the main subject matter of the contract cannot be achieved if the processing in question does not occur. Subject to verification by the national court, the Court of Justice expresses doubts as to whether personalised content or the consistent and seamless use of the Meta group’s own services are capable of fulfilling those criteria."
In addition, the CJEU also clarified that "personalised advertising by which the online social network Facebook finances its activity, cannot justify, as a legitimate interest pursued by Meta Platforms Ireland, the processing of the data at issue, in the absence of the data subject’s consent."
This latter point is relevant following reports in March indicating Meta intended to switch to using legitimate interests after the Irish Data Protection Commission (DPC) adopted two final decisions in January, fining the company a total of €390 million and confirming that its legal basis for processing user data to deliver targeted advertising was invalid.
In a statement, Austrian privacy lawyer Max Schrems said "We welcome the CJEU decision. It further clarifies that Meta cannot simply bypass the GDPR with some paragraphs in its legal documents. This will mean that Meta has to seek proper consent and cannot use its dominant position to force people to agree to things they don't want."
From a broader perspective, the also CJEU confirmed competition authorities can find a business breaches EU data protection legislation as part of wider abuse of dominant market position investigation, providing that they liaise closely with relevant data protection authorities (DPAs) and that their findings do not differ from the conclusions already reached by the DPA.
Related article: German Court turns to European Court of Justice for Facebook data case.
UPDATE: 070723 - Legal analysis by 11KBW Panopticon Blog considers the most significant impact will likely be to limit tech companies from monetising user data from one platform by running targeted advertising on another. Meta collecting data from Instagram to target adverts on Facebook.
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 4,250 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.