I told you so (or, let’s talk about some Mousse)
This edition dives into the CJEU's Mousse ruling and its impact on GDPR and marketing practices.
(Scope: GDPR)
I could be having a huge told you so moment, but instead, I’ll write this little case not for you.
On Mousse.
No, not the chocolaty velvety one nor the gender-neutral baby wear colour of the moment.
But C-394/23 type. It does have to do with gender, but I will get there in a moment.
C-394/23, aka Mousse, is a judgment recently published by the CJEU (Court of Justice of the EU).
And why do I bother to write a case note for marketers?
(Well, why should I keep all the fun to myself?)
Case law defines how regulations, such as the GDPR, are interpreted. Depending on who provides the interpretation and in what form, it can become law.
It works a bit like this:
Now, back to Mousse.
This specific judgment is interesting and important in several ways, but today, I will focus on why it is important and relevant to marketing—and only that.
Ready?
Background
Ever take the train in Europe? Or, more specifically, France?
If you bought your ticket online, you were asked for your name, ticket type, train time, credit card information, and email address—the basics. Along with those form fields was a drop-down menu asking for Mr/Mrs (or rather ‘Monsieur’ or ‘Madame’).
All good, right?
Mousse didn’t agree. They didn’t like that they had to choose between Mr. and Mrs. and filed a complaint.
First, they complained to the CNIL (the Data Protection Board of France), but the CNIL disagreed and dropped it.
Mousse insisted that making him choose between one of the options provided by the SNCF (the French train company) was not following the principles of data minimisation, did not have a legitimate interest (see here for more on that) to collect that data, and that by needing to choose they may be discriminated against them based on the information provided (gender). So they took it to the courts of France who themselves had questions.
When a court has questions, it goes to the CJEU.
The CJEU answers those questions and thereby clarifies (or sometimes confuses - aka leaves us with more questions) the interpretation of the law.
So what did the CJEU clarify?
Three main topics were discussed.
Data Minimisation
Legitimate Interests
Contractual Necessity
A few emails ago, we discussed the legal basis that marketers tend to use, and of course, contractual necessity came up. It’s a good one. It’s nice to say, “We collect all this data based on the needs of the contract and, therefore, don’t need your consent.”
But the CJEU says:
for the processing of personal data to be regarded as necessary for the performance of a contract […] it must be objectively indispensable for a purpose that is integral to the contractual obligation intended for the data subject. The controller must therefore be able to demonstrate how the main subject matter of that contract cannot be achieved if that processing does not occur (para.33)
In short, unless your contract falls apart without that information, you can’t collect that data based on the reason of contractual necessity.
Okay, but we want to know the gender of the person we are dealing with so we can correctly address them in the emails we send. Guess we need to rely on legitimate interest then?
You could. Let’s see what the CJEU said.
As a reminder, to use legitimate interest as your legal basis, you need to perform a 3-step test (legitimate, necessary, balancing), making sure that you consider and balance against each other your rights as a business and those of the person whose data you will use.
This is where it got interesting.
The courts state that we need to consider legitimate interest “in conjunction with” the data minimisation (process only what you need or, data needs to be adequate, relevant, and limited) principle.
This means that if you don’t need the data, i.e., if it is not “strictly necessary,” you can’t use legit interest to begin with. There is an allowance for direct marketing, but do we need their title or gender to send them direct marketing emails?
And you need to consider the user's rights - could they be discriminated against based on gender?
The courts essentially set up a triple hurdle to complete (on top of the 3-step test) so we can use legitimate interests:
Did you notify the user before hand? (i.e., Privacy notice)
Is it “strictly necessary”?
Does it affect their fundamental rights? (in this case, risk of discrimination)
So, what does all this mean for marketers?
Collect what you need, not what you think you need
Separate your purposes to determine your legal basis (don’t bundle)
Make sure you have clear notices that inform the user
Only use contractual necessity if it would make the contract crumble without that data
Make sure you complete a impact assessment for legitimate interest
Always consider how the data you are collecting could affect the user’s rights
None of this means you can’t collect the title or personalise your emails. And none of this means you can’t process certain data based on contract or legitimate interests.
It just means you have some steps to consider before you do.
Related reading:
The judgment (would you rather get my annotated versions - let me know)
My past email on Legit Interest
My past email on Data Minimisation
WTF or FTW (aka Siobhan’s take)
You’ve heard it before, but I’ll say it again.
Don’t collect or process data you don’t need.
Forget just-in-case data. Only collect what you can action on and that you actually use. Then, figure out what legal basis you can use.
For real - I think this is a bit of a WTF moment. I’m not a huge fan of how the courts are essentially pushing for consent being the way to go - like it’s the queen of legal basis and lords over the others. There are some good points in the judgement but generally this idea of strictly necessary, reading together with data minimisation, etc. is just not realistic. And then it makes me wonder what this all means for the other legal basis. Do we also read those in conjunction with data minimisation? Can we collect any data that is not strictly necessary to us as a business that allows us to market better (other than getting consent)?
(I’ll stop ranting now….you get the point. I have a lot of questions I’m still processing while rereading this judgment over and over again)
x
Siobhan
PS: this along with my annotated files and playbook for assessing legal basis along with the legitimate interest assessment will launch on The Marketers Privacy Hub next week.