In a groundbreaking ruling, the Court of Justice of the European Union (CJEU) has placed tighter restrictions on how businesses can process personal data without consent, tightening the rules around "legitimate interest".
This decision in Joined Cases C-17/22 and C-18/22, dated 12 September 2024, highlights stricter boundaries for data sharing, particularly in sensitive cases like contact details. The Court examined the application of Article 6(1) and the circumstances under which personal data processing may be lawful, particularly when consent is absent.
Here’s a breakdown of the key findings and what they mean for GDPR compliance.
Key Points and Analysis
1. Context of the Case
The case concerns an investment fund set up as a limited partnership offering shares to the public. The plaintiffs, who are partners in the fund, requested access to the contact details of other partners with indirect shareholdings through a trust company. The trust companies refused, arguing that the request was economically driven and could harm other partners. The referring court asked for guidance on applying Article 6(1) of the GDPR, focusing on the legitimacy of processing personal data in such a scenario.
2. Article 6(1) GDPR: Lawfulness of Processing Personal Data
Article 6(1) of the GDPR outlines six conditions under which the processing of personal data can be lawful. These include:
- Consent of the data subject (point (a))
- Processing necessary for the performance of a contract (point (b))
- Compliance with a legal obligation (point (c))
- Legitimate interest pursued by the data controller or a third party (point (f))
The Court examined how points (b), (c), and (f) applied to this case.
3. Point (b): Processing Necessary for Contract Performance
The plaintiffs argued that accessing the contact details of other partners was necessary for exercising their rights under the partnership contract, such as negotiating the purchase of shares or coordinating partner resolutions.
- Court’s Response: The Court clarified that for processing under point (b) to be justified, it must be "objectively indispensable" for fulfilling the contract. Processing that is merely helpful or convenient is not enough. In this case, the investment and trust agreements explicitly prohibited sharing personal data with other partners, so the requested data processing was not necessary for the contract's performance.
- Conclusion on Point (b): The Court ruled that disclosing the contact details of other partners does not meet the necessity threshold for contract performance, especially if the contract explicitly forbids such disclosure.
4. Point (f): Legitimate Interests of the Data Controller or Third Party
The plaintiffs also argued that their request was justified by legitimate interests, such as the economic interest of entering into share purchase negotiations or coordinating resolutions with other partners.
- Court’s Response: The Court applied the three-part test for legitimate interest under Article 6(1)(f):
- Legitimate interest: The Court acknowledged that a wide range of interests can be considered legitimate, and the plaintiffs' interest in contacting other partners for business purposes could be legitimate.
- Necessity: The Court emphasized that processing must be "strictly necessary" to achieve the legitimate interest. Here, the Court suggested alternative methods, such as the plaintiffs requesting the trust company to pass on their contact details to other partners, leaving it up to the partners to decide whether to engage. This alternative would be less intrusive and still serve the legitimate interests of the plaintiffs.
- Balancing of interests: The Court ruled that even if a legitimate interest exists, it must not override the fundamental rights and freedoms of the data subjects (the other partners). The Court noted that the partners with indirect shareholdings had a reasonable expectation of confidentiality, and this expectation likely outweighed the plaintiffs' interests.
- Conclusion on Point (f): The Court held that while the plaintiffs may have a legitimate interest, the processing of personal data in this case was not strictly necessary, and the interests or fundamental rights of the data subjects (partners) took precedence.
5. Point (c): Compliance with a Legal Obligation
The referring court also raised the possibility of a legal obligation under national law that might require the disclosure of partners’ contact details. In some national case law, there may be an obligation to disclose such information, particularly within the context of transparency in partnerships.
- Court’s Response: The Court stated that any legal obligation to process personal data must be based on clear, precise, and foreseeable national law, as required by Article 6(3) GDPR. Additionally, such a legal obligation must meet an objective of public interest and be proportionate. The referring court must verify whether such a legal obligation exists under national law and whether it meets these criteria.
- Conclusion on Point (c): The Court deferred to the national court to determine whether a legal obligation exists under national law, but stressed that such an obligation must comply with the requirements of clarity, precision, and proportionality as set out in EU law.
Final Judgment and Conclusions
- Point (b) (Performance of a Contract): The processing of personal data for disclosing partners' contact information is not justified under this provision, especially when the contract explicitly prohibits such disclosure.
- Point (f) (Legitimate Interest): While the plaintiffs may have a legitimate interest in contacting other partners, the disclosure of their personal data is not strictly necessary, and the data subjects' (partners') right to confidentiality takes precedence.
- Point (c) (Compliance with a Legal Obligation): The Court left it to the national court to determine whether such an obligation exists under national law, subject to the condition that the law is clear, precise, and proportionate.
The Role of Consent: Key Takeaways
This judgment reinforces that consent remains a cornerstone of lawful data processing under the GDPR.
While alternative grounds like legitimate interest may sometimes justify processing, the lack of consent requires a high threshold for any other legal basis to apply. Consent, when freely given, specific, informed, and unambiguous, remains the gold standard for ensuring compliance, particularly in sensitive contexts where confidentiality is expected, as with financial partnerships.
This ruling underscores the importance of protecting personal data and suggests that when consent is not obtained, businesses must apply a very narrow and restrictive interpretation of other lawful bases. AesirX focuses on helping organizations navigate these complexities, emphasizing first-party consent solutions to ensure GDPR compliance.
Broader Implications
This judgment reinforces the strict interpretation of Article 6(1) of the GDPR, particularly in limiting the use of legitimate interest as a lawful basis for data processing. It stresses the need for carefully balancing the rights of data subjects against the interests of data controllers or third parties, especially where individuals have a reasonable expectation of privacy and confidentiality. Furthermore, the judgment underscores the necessity of well-defined and explicit legal obligations when processing personal data under national law.
The decision highlights the critical role of transparency in contractual agreements and the protection of personal data, especially in business structures involving multiple parties. It reaffirms the GDPR’s focus on prioritizing individual rights over economic interests, requiring businesses to be more vigilant in securing valid consent or adhering strictly to other lawful bases for processing.
In summary, the ruling elevates the protection of personal data above commercial objectives, aligning firmly with the GDPR's core principles. Businesses must take proactive steps to ensure that they are obtaining valid consent or rigorously applying alternative legal bases when consent is absent.
To learn more about how AesirX can help you stay compliant and avoid fines, contact us for a Privacy Review or try our free Privacy Scanner to evaluate your website’s current consent practices.
Ronni K. Gothard Christiansen // VikingTechGuy
Creator, AesirX.io