On 4 October 2024, the European Court of Justice (ECJ) issued another decision in the dispute between Max Schrems and Meta in case C-446/21. This case is closely related to the decision in case C-252/21 (see ePrivacyBlog September 2023) and is based on it. The ECJ now essentially makes two findings. Unsurprisingly, the ECJ emphasises that the principle of data minimisation also applies in online marketing. Accordingly, data may not be processed indefinitely, even if the data processing was originally permissible. The ECJ was unable to decide whether outdated data was relied upon in the initial proceedings, and it is up to the referring court to clarify this. In practice, this means that the focus is shifting more towards the existence of deletion policies.
On the other hand, the ECJ examined when, according to Article 9 (2) (e) of the GDPR, sensitive personal data itself has been made public. The ECJ found that this exception applied in the present proceedings, but emphasised that this did not automatically imply consent to the processing of sensitive data, in particular to the processing of sensitive data obtained outside the platform for the purposes of advertising (‘indirect’ generation of sensitive data through social plug-ins, cookies, pixels on third-party websites with subsequent targeting). This finding is extremely important for practice because it raises the question of the permissibility of processing public data in general. As is well known, there are numerous publication requirements (see only legal notice); however, the ECJ does not (yet) take a position on the question of whether their (purpose-altering) processing is permissible.