The European Court of Justice (ECJ), the highest European court, delivered its judgment on July 4, 2023 in the case of Meta against the German Federal Cartel Office (Case C 252/21). Beyond Facebook, Whatsapp and Instagram, the ruling also answers questions about legitimate interest regarding tracking on websites and apps.
The four criteria for overriding legitimate interest
In its ruling, the ECJ specifies four concrete criteria for review:
- A genuine interest of the controller (website operator) must be communicated on the website or app.
- The data must be limited to what is necessary for the purposes of the processing (data minimization) and may not be further processed in a manner incompatible with those purposes (necessity).
- A balancing of the conflicting interests must take into account the reasonable expectations of the data subjects as well as the scope of the processing in question.
- The controller (website operator) must be able to demonstrate compliance through his own auditing of the provider or through an independent audit (accountability).
Meta, Google, TikTok & Co. only with consent!
The ECJ even explicitly names direct advertising as a legitimate interest. Thus, the challenge of point 1 is mainly to communicate the specific purposes concretely enough in the privacy notices.
But here it comes: The ECJ interprets the principle of necessity very narrowly and requires to prove that the stated purposes cannot reasonably be achieved just as effectively by other means that interfere less with the fundamental rights and freedoms of the data subjects. In other words, there must be no milder comparable solution. An argument along the lines of “this analysis tool is significantly less data protection-friendly, but it is free of charge” is clearly out of the question. As soon as the provider also pursues his own purposes, the solution also fails point 2.
When it comes to reasonable expectations, the ECJ applies an equally tough standard and contradicts the view that users of free services should expect their data or personalized advertising to be disclosed:
“In this respect, it should be noted that, even if the services of an online social network such as Facebook are free of charge, the user of that network cannot reasonably expect that the operator of that social network will process his personal data for the purpose of personalizing advertising without his consent.”
(Translated by the author)
With regard to the scope of the data processing carried out by the major marketing platforms, the ECJ states:
“Moreover, the processing at issue in the main proceedings is particularly extensive, since it concerns potentially unlimited data and has a significant impact on the user, whose online activities are recorded to a large extent, if not almost entirely, by Meta Platforms Ireland, which may make him feel that his private life is being continuously monitored.”
(Translated by the author)
Conclusion: After this ruling, it should be almost impossible to run the use of tags or tools of the major marketing platforms under the legitimate interest.
etracker Analytics without consent!
The basis for the consent-free use of etracker Analytics, on the other hand, was confirmed by the ruling:
This is because the legitimate interest in analyzing usage data on websites and in apps pursuant to Art. 6 (1) subpara. 1 letter f GDPR is a legitimate legal basis according to the ECJ, provided that an audit proves compliance with the aforementioned criteria. When using etracker Analytics, this is ensured by the following principles, among others:
- Electronic conclusion of a Data Processing Agreement contract with the account registration.
- Automatic IP address shortening before persisting
- Anonymized user identifiers automatically limited to 24h in consent-free default mode
- Reporting with anonymized data without re-identification possibility of the user
- No use of data for own purposes
- No linking with other data sources or data of other customers
- No forwarding to third parties
- Neither session recording nor mouse movement recording
- Optional server-side connection to marketing platforms for automatic upload of minimal conversion data without user identifiers
- Optional further processing of anonymized data in reporting solutions such as Google Looker Studio or Microsoft Power BI
In this respect: Thanks to the ECJ for the clarifications on legitimate interest!