Following the judgement of 4 October 2024 of the Court of Justice of the European Union (CJEU)[i], case C‑446/21 between Maximilian Schrems and Meta Platforms Ireland Ltd (“Meta”), the scope of collection of personal data on social media network platforms and the applicable restrictions thereof in particular in the context of targeted advertising were put under strict scrutiny.

Here, the EU General Data Protection Regulation (GDPR) principles of data minimisation and purpose limitation were specifically delved into.

Meta generally manages the provision of services of the online social network Facebook in the EU and is considered as the controller within the meaning of the GDPR. The present case concerns data collected from Facebook users’ activities by Meta not only on Facebook but also outside, including those data related to online platform visits and navigation patterns as well as third party websites and applications. For this, Meta is seen to utilise cookies, social plug-ins and pixels, which are embedded on the relevant websites, for the purpose of targeted advertising.

The CJEU decision brings further clarity to the following:

. the scope of the principle of data minimisation under Art. 5(1)(c) GDPR covers all personal data which is collected from data subjects or third parties by a controller, collected on or outside the platform, for the purpose of aggregation, analysis and processing in the context of targeted advertising, whereby the retention time would at all times need to be restricted and the type of personal data would need to be distinguished. Furthermore, the principle is applicable irrespective of the legal basis used for the processing, and even if a data subject may have consented to targeted advertising, their personal data cannot be used indefinitely.

. Article 9(2)(e) GDPR, on processing of special categories of personal data, would need to be interpreted in a restrictive manner, whereby the mere mentioning of a fact by a data subject in a public setting should not easily give rise to any other information related to that particular fact being labelled as “manifestly made public” and hence legally permitted to be processed.

As a consequence of the CJEU ruling, any operator of a social media network platform or online advertisement company would need to restrict their data pool and put in place an effective data deletion policy.  

[i] See here https://curia.europa.eu/juris/document/document.jsf;jsessionid=5CE53D5E3FCC1ABA77F2ACD5AAC2F038?text=&docid=290674&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=1306139.