Austrian Supreme Court asks CJEU if Facebook "undermines" the GDPR by confusing 'consent' with an alleged 'contract'
First of all, I really like the development we’ve seen the past year or so, which is continuing this year, in regards to awarding damages, such as where subject rights requests are not handled properly (i.e. refused, not taken care of, etc.). But also where data has been processed not in accordance with the GDPR, and a data subject has suffered damage from that, such as loss of control.
As for the questions referred, they are certainly interesting and will provide for good case-law by the CJEU.
Re the question of contract vs consent, my personal take is that insofar the contract and the provisions contained therein are legal, you can then rely on art. 6(b) GDPR.
I think paragraph 60 of the referred questions says all there is to say about the main matter:
For the interpretation of the contract in terms of data protection law and the question whether a processing activity is “necessary” in the sense of Art 6(1)(b) GDPR, the objective purpose of the contract is essential. Artificially or unilaterally imposed obligations cannot be subsumed under this. The necessity of a processing activity for fulfilment of a contract depends on whether an immediate factual connection exists between the intended processing activity and the concrete purpose of the contractual obligation. In this sense, Art 6(1)(b) GDPR must be interpreted narrowly and does not apply in situations where the processing for fulfilment of a contract is not actually necessary. The fact that the purposes of processing are covered by contractual clauses which were drafted by the provider does not automatically mean that the processing is necessary for the fulfilment of the contract.
The questions show a strong (but non-binding) consensus in regulatory guidance and legal commentaries that this consent workaround does not and must not work. Of course, when the ECJ agrees and says “well, duh”, it might still be for the lower court to determine which aspects of the terms of service are actually contractual in the sense of Art 6(1)(b) GDPR.
The other questions are interesting but less relevant, I think.
Data minimization: can a controller use all available data for ad targeting?
I mean, sure, if the controller has a legal basis. Of course, a legal basis might be hard to come by since other than with consent, the processing must be necessary and data can only be used for the purposes for which it was collected (unless Art 6(4) applies, of course).
Are special categories of data special categories even if it isn’t distinguished from regular personal data?
To me, this seems to be related to the problem where if a controller makes a text entry box available, someone may enter special categories of data. I don’t think the data controller can be responsible for that unless they process the text contents as special categories of data (similar to how a photo is not biometric information until it is processed as such).
The question is actually raised in the context of Facebook’s likes and cross-site tracking, which may use interactions with sensitive pages as part of their profile-building. In paragraph 43 of the questions, it is mentioned that FB argued that “the ‘interest’ of the plaintiff in various parties and politicians merely discloses an interest in politics, but no political opinion”. That’s not a very convincing argument by FB and very much looks like processing of special categories of data to me. I hope the ECJ agrees.
When has personal data been manifestly made public by the data subject?
I always admire FB’s legal team’s chutzpah. The background of this question is that Schrems said in a public talk (paraphrased): “You can infer my sexual orientation from my friend list. But I’ve never disclosed that to FB, and it’s not something I talk about all the time in public, because I’d rather talk about data protection.” Says FB: “haha, you just disclosed it publicly now Art 9(2)(e) says we’re allowed to use it!”
This question seems to be rather difficult because the data subject clearly has made this information public, but also clearly has not intended to make this public in a way that would justify processing as part of a FB ad-interest profile. The Austrian court says that there was no consent for FB’s use in the sense of Art 9 GDPR, but consent is not an aspect of Art 9(2)(e). I would expect that the “correct” solution is that the information was made public by the data subject so that the Art 9(1) prohibition of processing does not apply, but that FB has no Art 6 legal basis for processing this particular data.
Thanks for your reaction latk, really insightful!
That’s really smart from Facebook, they probably follow everything he says just for this lol.