Expect a lot of misinformation regarding AG Rantos’s Opinion of today in the CJEU case regarding Schrems v Meta. Why?
(i) Some campaigners are claiming that this is a victory on question 2*, because the advertising industry would allegedly keep years and years of data for advertising purposes.
Yet old information is less valuable for advertising than new information – in fact, outdated information is often of little to no value.
The Advocate General also says that “the EU judicature cannot set a mandatory time limit for the retention of such data”, so there is no specific timeframe that could be imposed by the CJEU anyway.
Instead, “It is therefore for the referring court to assess, in the light of the circumstances of the case and by applying the principle of proportionality, the extent to which the period of retention of personal data […] is justified having regard to the legitimate aim of processing those data for the purposes of personalised advertising”.
Same re categories of data: “it is also for the referring court to determine, in the circumstances of the present case, the personal data the processing of which may be considered to be lawful”.
The AG does say that some categories are more intrusive than others, but I’m not convinced that the AG’s position will be shared by everyone (on both sides of the debate).
(ii) Some are claiming that this is a victory on question 4 and that it means that sensitive data can never be used for profile-based advertising or that scraping is illegal.
Wrong.
The AG specifically states that manifestly making sensitive data public means that the protections afforded by Art. 9 GDPR do not apply – but Articles 5 and 6 still do (and 7, where relevant).
Therefore, Art. 9(2)(e) GDPR – the “manifestly made public” justification for processing special categories of personal data – does not not *in itself* permit processing of that data “with a view to aggregating and analysing the data for the purposes of personalised advertising”.
Those two words – “in itself” – are critical, because they show that *it can be permitted if justified under Art. 5 & 6 GDPR*. So look at what your justification is under Art. 6 GDPR.
Note though that “sensitive data for ads” is not common practice in Europe. The TCF, for instance, is “not intended, nor has it been designed, to facilitate the lawful processing of special categories of personal data […], for which the law requires meeting additional requirements such as obtaining explicit consent” (see TCF policies – https://lnkd.in/dr2Xi36P ).
(Q2 is the first question examined, Q4 is the second – only 2 were still being examined here by the Advocate General due to the fact that questions 1 and 3 were in practice answered through a separate case)
Link to the Opinion: https://lnkd.in/d7mq4e2p
data protection gdpr privacy
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗