by Luca Farkas
In two recent cases, the Court of Justice of the European Union (CJEU) clarified the interpretation and application of the General Data Protection Regulation (GDPR), a cornerstone of EU data privacy law designed to protect individuals' personal data. While the cases tackle different aspects of GDPR enforcement, they share a common concern: the boundaries and protections surrounding personal data in commercial and social contexts.
In Schrems (Case C-446/21),[1] the CJEU addressed the unauthorized processing of personal data for targeted advertising by online social platforms like Facebook, while the Lindenapotheke (Case C-21/23)[2] involved the legality of processing health data in online transactions for pharmacy-only medicinal products.
Both cases highlight the GDPR’s broad scope and its intent to prevent overreach in the use of personal data. Together, they reinforce the importance of strict data protection standards and the need for clear, informed consent in any data processing operation.
Clarifying the Data Minimisation Principle - the Schrems Case
The Schrems ruling offers critical insights into the limits of data processing under the GDPR,[3] particularly regarding the use of personal data for targeted advertising.
The first central issue of the case was whether Meta could aggregate and analyse all personal data—whether collected on its platform or from third-party sites—for targeted advertising without restriction. The Court answered no, reinforcing the GDPR’s key principle of data minimisation.[4] This principle requires that data be collected only for specific purposes and processed in a limited and necessary manner. Consequently, platforms cannot process all collected data indefinitely or without boundaries, especially sensitive information like sexual orientation. This applies even when a user consents to personalized advertising: their personal data still cannot be used indefinitely by companies.[5] The Court thus confirmed that the GDPR prohibits the aggregation, analysis, and processing of all personal data for targeted advertising purposes without any time limitations or distinctions based on the type of data.[6]
The Court also addressed whether a public statement about one’s sexual orientation—such as Mr. Schrems’ disclosure during a panel discussion—allows for the processing of other data related to that orientation for targeted advertising. Under the GDPR, companies may process information that is "manifestly made public",[7] as this creates an assumption that the data subject consented to the processing. Regarding this rule, the Court clarified that while a public declaration may permit some processing, it does not authorize platforms to aggregate additional data for personalized advertising. Therefore, the Court followed the Opinion of Advocate General Rantos of 25 April 2024,[8] which stated that the first question to ask is whether the act in question constitutes a disclosure that makes certain personal data "manifestly public" within the meaning of Article 9(2)(e) of the GDPR. The second question is whether making the data manifestly public permits its processing for specific purposes, such as targeted advertising, in accordance with Articles 5 and 6 of the GDPR. Through this ruling, the Court confirmed that even if an individual shares personal information publicly, this does not grant platforms a blanket right to process further related data without proper consent.
The ruling emphasizes that businesses must ensure that data processing is both necessary and explicitly consented to by the individual, particularly when handling sensitive data. It underscores the importance of clear, informed consent and strict adherence to GDPR principles to avoid overreaching in data collection and usage.
Broad Interpretation of Special Category Data and GDPR Breaches as Unfair Commercial Practices – the Lindenapotheke Case
The Lindenapotheke ruling, while focusing on a different context, echoes similar concerns about the need for explicit consent and transparency in the processing of personal data. Here, the CJEU addressed the processing of health data in the context of online sales of pharmacy-only medicinal products. It determined that the information customers provide when ordering these products online—such as delivery addresses and details needed for individualising the products—constitutes sensitive health data under the GDPR, even when those medicinal products do not require a prescription.[9] In this decision, the Court diverged from the Advocate General's Opinion, reaffirming the broad interpretation of 'special category' data under the GDPR.[10]
Additionally, the Lindenapotheke ruling clarified that competitors can enforce GDPR-based unfair commercial practices, allowing them to invoke violations of the regulation’s substantive provisions in national legal proceedings, even when specific remedies under the GDPR are not available.[11] The Court stressed that the remedies in Chapter VIII of the GDPR are not exhaustive and that enabling competitors to challenge violations under the unfair commercial practices provision would support, rather than undermine, the regulation's objectives.[12] This decision effectively broadens the scope for private enforcement, complementing the traditional role of supervisory authorities.[13] It underscores the growing role of competitors in ensuring GDPR compliance and suggests that data privacy breaches may have far-reaching consequences for businesses, extending beyond direct regulatory penalties. As online commerce, particularly in the healthcare sector, continues to expand, businesses must prioritize transparency and secure explicit consent from consumers before processing sensitive data, including health-related information.
Key Takeaways
Both the Schrems and Lindenapotheke rulings offer critical guidance on the application of GDPR principles in real-world contexts. They underscore the necessity of robust data protection measures, particularly when handling sensitive personal data, and stress the importance of obtaining informed consent from data subjects. The Lindenapotheke ruling, in particular, further clarified that competitors can challenge GDPR violations as unfair commercial practices, expanding the scope of enforcement. These rulings help refine the legal framework for personal data processing and serve as a stark reminder that failure to respect individuals' privacy rights can lead to serious legal repercussions.
As the enforcement of GDPR continues to evolve, businesses must be proactive in reassessing their data practices and safeguarding the privacy of their customers.
[1] Judgment of the Court of Justice of the European Union, delivered on 4 October 2024, Case C‑446/21, Maximilian Schrems v Meta Platforms Ireland Ltd, https://curia.europa.eu/juris/document/document.jsf;jsessionid=5CE53D5E3FCC1ABA77F2ACD5AAC2F038?text=&docid=290674&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=1306139.
[2] Judgment of the Court of Justice of the European Union, delivered on 4 October 2024, Case C‑21/23, ND v DR, https://curia.europa.eu/juris/document/document.jsf;jsessionid=24AB9E0D002C22E70265B229FDF38154?text=&docid=290696&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=8416271.
[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1-88, hereinafter GDPR.
[4] GDPR, Article 5(1)(c).
[5] noyb – European Center for Digital Rights, CJEU: Meta must "minimise" use of personal data for ads, 04.10.2024. https://noyb.eu/en/cjeu-meta-must-minimise-use-personal-data-ads-0.
[6] PRESS RELEASE No 166/24, Luxembourg, 4 October 2024, Judgment of the Court in Case C-446/21 | Schrems (Communication of data to the general public), Court of Justice of the European Union, https://curia.europa.eu/jcms/upload/docs/application/pdf/2024-10/cp240166en.pdf.
[7] GDPR, Article 9(2)(e).
[8] Opinion of Advocate General Rantos, delivered on 25 April 2024, §39, Court of Justice of the European Union, https://curia.europa.eu/juris/document/document.jsf?text=&docid=285201&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=787304.
[9] PRESS RELEASE No 159/24, Luxembourg, 4 October 2024, Judgment of the Court in Case C-21/23 | Lindenapotheke, Court of Justice of the European Union, https://curia.europa.eu/jcms/upload/docs/application/pdf/2024-10/cp240159en.pdf.
[10] Two Birds, Feeling unwell after the CJEU's Lindenapotheke decision?, 10.10.2024. https://www.twobirds.com/en/insights/2024/global/feeling-unwell-after-the-cjeus-lindenapotheke-decision.
[11] CJEU, Press Release No. 159/24.
[12] European Law Blog, European Court of Justice: Releasing information from within the decision-making process, 14.11.2024. https://www.europeanlawblog.eu/pub/y0sz1qv4/release/1.
[13] CJEU, Press Release No. 159/24.
