ECJ provides clarity on legitimate interest

by Katrin Nebermann

On July 4, 2023, the European Court of Justice (ECJ), i.e. the highest European court, delivered its judgment in the proceedings between Meta and the German Federal Cartel Office(Case C-252/21). Beyond Facebook, Whatsapp and Instagram, the ruling also answers questions about legitimate interest in tracking on websites and apps.

The four criteria for the overriding legitimate interest

In its ruling, the ECJ sets out four specific test criteria:

1. A genuine interest of the controller (website operator) must be communicated on the website or in the app.
2. The data must be limited to what is necessary for the purposes of processing (data minimization) and may not be further processed in a way that is incompatible with these purposes (necessity).
3. A balancing of the opposing interests must take into account the reasonable expectations of the data subjects and the scope of the processing in question.
4. The responsible party (website operator) must be able to prove compliance through its own review of the provider or through an independent certificate (accountability).

Meta, Google, TikTok & Co. only with consent!

The ECJ even explicitly mentions direct advertising as a legitimate interest. Thus, the challenge of point 1 is mainly to communicate the specific purposes concretely enough in the data protection notices.

But here’s the thing: the ECJ interprets the principle of necessity very narrowly and requires it to be proven that the stated purposes cannot reasonably be achieved just as effectively by other means that interfere less with the fundamental rights and freedoms of the persons concerned. There must therefore be no milder, comparable solution. An argument along the lines of “this analysis tool is much less data protection-friendly, but it’s free” is clearly out of the question. As soon as the provider also pursues its own purposes, the solution also fails point 2.

When it comes to reasonable expectations, the ECJ applies an equally strict standard and contradicts the view that users of free services should expect their data or personalized advertising to be passed on:

“In this respect, it should be noted that, even if the services of an online social network such as Facebook are free of charge, the user of this network cannot reasonably expect that the operator of this social network will process his personal data without his consent for the purpose of personalizing advertising.”

With regard to the scope of data processing by the large marketing platforms, the ECJ states:

“Moreover, the processing at issue in the main proceedings is particularly extensive, since it concerns potentially unlimited data and has a significant impact on the user, whose online activities are largely, if not almost entirely, recorded by Meta Platforms Ireland, which may give him the feeling that his private life is being continuously monitored.”

Conclusion: Following this ruling, it should be almost impossible to allow the use of tags or tools from the major marketing platforms to be run under legitimate interest.

etracker analytics without consent!

However, the basis for the consent-free use of etracker analytics was confirmed by the ruling:

This is because the legitimate interest in analyzing usage data on websites and in apps pursuant to Art. 6 para. 1 subpara. 1 letter f GDPR is a legitimate legal basis according to the ECJ, provided that an examination proves compliance with the criteria mentioned. When using etracker analytics, this is ensured by the following principles, among others:

• Electronic conclusion of an AV contract with the account registration
• Automatic shortening of the IP address before persisting
• Anonymized user IDs automatically limited to 24h in consent-free standard mode
• Reporting with anonymized data without the possibility of re-identifying the user
• No use of the data for own purposes
• No linking with other data sources or data from other customers
• No disclosure to third parties
• Neither session recording nor mouse movement recording
• Direct objection function for the privacy policy
• Optional server-side connection to marketing platforms for automatic upload of minimal conversion data without user IDs
• Optional further processing of anonymized data in reporting solutions such as Google Looker Studio or Microsoft Power BI

To fulfill the required accountability, etracker offers a template for the balancing of interests as well as the certificate of the independent audit by ePrivacy Consult.

In this respect: Thanks to the ECJ for the clarifications on legitimate interest!