What kinds of processing are necessary for the performance or conclusion of a contract?
This is one of the questions the Court of Justice of the European Union (CJEU) was asked to examine in case C-252/21 between Meta Platforms and the German Federal Cartel Office, in which it delivered a judgment on July 4th, 2023.
Before we look at the judgment, it is useful to recall that the General Data Protection Regulation (GDPR) allows the processing of personal data to be based on “contract” as a legal ground (as opposed to e.g., legitimate interests, consent, and others). The European Data Protection Board has repeatedly referred to the need for an “objective link” between that processing and the contractual framework, and a controller must demonstrate such necessity, in accordance with its accountability obligation.
This case specifically examined the question of whether certain processing activities were effectively justified by “contract” as a legal ground in the context of a provision of an online social media service.
The CJEU held that this necessity must be demonstrated, and that the criterion is that the processing must be “objectively indispensable.” In its reasoning, however, the CJEU made an unusual factual assessment regarding personalized services – comments that may have far-reaching implications and may create significant uncertainty.
It is worthwhile quoting key excerpts to show the CJEU’s reasoning:
- “98. […] in order for the processing of personal data to be regarded as necessary for the performance of a contract, within the meaning of that provision, it must be objectively indispensable for a purpose that is integral to the contractual obligation intended for the data subject. The controller must therefore be able to demonstrate how the main subject matter of the contract cannot be achieved if the processing in question does not occur.”
- This means, in practice, not only that without the processing, the contract could not be performed, but also that internal documentation is required to be able to support the “contract” as a legal ground.
- “99. The fact that such processing may be referred to in the contract or may be merely useful for the performance of the contract is, in itself, irrelevant in that regard. The decisive factor for the purposes of applying the justification set out in point (b) of the first subparagraph of Article 6(1) of the GDPR is rather that the processing of personal data by the controller must be essential for the proper performance of the contract concluded between the controller and the data subject and, therefore, that there are no workable, less intrusive alternatives.”
- This suggests that controllers can establish necessity by showing that “less intrusive alternatives” are not workable.
So far, so good. These paragraphs of the CJEU’s judgment show that it is possible to properly justify reliance on “contract” as a legal ground if the service description is not artificial and there are objective reasons to build a service in a particular manner.
However, a little further, the CJEU provides a very significant caveat to this reasoning, by providing its own factual analysis of “personalisation”:
- “102. As regards, first, the justification based on personalised content, it is important to note that, although such a personalisation is useful to the user, in so far as it enables the user, inter alia, to view content corresponding to a large extent to his or her interests, the fact remains that, subject to verification by the referring court, personalised content does not appear to be necessary in order to offer that user the services of the online social network. Those services may, where appropriate, be provided to the user in the form of an equivalent alternative which does not involve such a personalisation, such that the latter is not objectively indispensable for a purpose that is integral to those services.”
- The CJEU always makes an assessment of the way in which EU law should be interpreted and it normally uses the facts of the case purely as context, in order to understand the questions asked to it. This particular paragraph contains an opinion on the facts themselves – in the CJEU’s view (and it was likely provided extensive background on the facts), content personalisation is not objectively indispensable to the provision of “the services of the online social network.” It may be difficult for a national judge (mentioned through the wording “subject to verification by the referring court”) to reach an opposite conclusion, though, due to the moral authority of the CJEU. This makes this particular paragraph unusual.
Next to being unusual, this particular paragraph raises significant questions for other controllers who might rely on “contract” in the context of the provision of personalised services. After all, if personalisation of a social media service is not deemed to be objectively indispensable by the CJEU, what is? The statement also appears to contradict the CJEU’s position that the absence of workable and less intrusive alternatives shows necessity: in our experience, businesses (like Meta and all others) do not usually randomly choose to offer a service in a personalised or non-personalised manner; there are normally objective reasons internally for disregarding or moving away from a particular business model. Yet, the CJEU seems to suggest that a non-personalised social media service is, in any event, workable, without any obvious justification for this position. In this context, this particular paragraph appears unfortunate, as it creates, in our view, a risk that supervisory authorities (whether of their own initiative or spurred on by complaints) and courts might consider without apparent justification that a particular alternative that has been disregarded or left behind by a controller (for valid reasons) is in fact workable. This may even happen to controllers who have built a service as a personalised service from the very beginning.
If anything, this ruling shows the need to carefully consider documentation and the justification for using “contract” as a legal ground.
It is available online, in multiple languages.
For any questions on data protection issues or on how to document necessity of processing, reach out to Peter Craddock or any other member of the Keller and Heckman LLP data law team.