The Court of Justice of the European Union, or CJEU (also referred to as the European Court of Justice) is the highest Court that rules on matters of substantive law. As the GDPR is an EU Regulation, this means that the CJEU’s interpretation of the law is the definitive one. Although the GDPR is a comprehensive law that is meant to apply in the same way across the EU, it is enforced by regulators at a national level. This means that some concepts, such as consent and legitimate interest, may be interpreted differently depending on the EU Member State you are based in. The rulings of the CJEU are therefore helpful in understanding in more detail how the GDPR has to be applied and tested, and may help to justify particular data protection practices.
For a list of GDPR relevant Case Law summaries, please refer to our page on CJEU Case Law Summaries.
As we alluded to above, enforcement of the GDPR depends on the national level supervisory authorities. Unfortunately, they do not always see eye to eye on how certain provisions of the law should be interpreted, and this is especially true when it comes to how they intend to enforce the rules in online advertising use cases. We have prepared a small table highlighting some different interpretations of the law by supervisory authorities in their guidance documents, along with a link to the guidance pages or documents. While this doesn’t cover all EU supervisory authorities, we feel that this is a representation of some of the more notable (and outspoken) authorities as well as those which many of our members have chosen as their one-stop shop.
The GDPR isn’t the only EU legislation in the area of privacy and data protection. In fact, the ePrivacy Directive, which primarily focuses on securing privacy in the telecommunications sector, has a particular provision (Article 5(3)) which requires consent for the accessing or storing of information on a user device - which includes cookies and other devices used by online advertising technology for a variety of purposes (such as audience insights, targeting, ad verification and security). This meant that the directive has also often been called ‘the cookie law’.
There are two key ways in which the GDPR and the ePrivacy Directive interact:
As the ePrivacy Directive is an older law, originally entering into force in 2002 and getting an update in 2009, there has been an effort to adopt a newer version: the ePrivacy Regulation. This is still an ongoing process, and if you would like to learn more about IAB Europe’s advocacy efforts on this file you can find more information on our European Digital Policy page.
On 16 July 2020, the Court of Justice of the European Union (“CJEU”) invalidated the EU-US Privacy Shield in its Judgment in Case C-311/18 (Schrems II). This Judgment is of direct concern to any company which used the Privacy Shield to transfer personal data from the EU to the US, and holds wider implications regarding the legality of transferring data through the use of Standard Contractual Clauses (“SCCs”) to any non-EU country. This is the second time that the CJEU invalidated a data transfer mechanism; in 2015, the Safe Harbour principles were also declared invalid by the CJEU in Case C-362/14 (Schrems I), under relatively similar circumstances.
On our EU-US Privacy Shield FAQs page we’ve summarised what this Judgment means for the online advertising-supported internet, which pitfalls to avoid, and where to look for more detailed guidance.
To help you on your journey and to keep things as simple as possible, here are some concepts and terms you should familiarise yourself with first; these are common in the world of data protection, but their exact meaning and context may be slightly different to what they initially seem.
Laws like the GDPR are designed to protect only personal data, and as a result understanding the definition of it is very important. The GDPR provides a very broad definition of personal data by design, and as a result the GDPR has a very broad application.
What makes something personal data? It’s not about which types of data are covered, but rather what the data can tell you about an individual. Generally speaking, any types of identifier that are unique to a single individual, such as tracking cookie identifiers that are used to recognise the same user across multiple websites on the internet, will likely be considered as personal data.
This term gets thrown around a lot in the world of data protection law. The term itself refers to almost any action that can be done to personal data - in fact the GDPR’s definition states processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means”.
That includes (but isn’t necessarily limited to): “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;” Even removing personal data from your database or servers is considered data processing under the GDPR, and this is why it's important to understand which kinds of data fall within the definition of personal data - if you “have” personal data as a company and use it in the course of business, you are processing it and have to abide by the GDPR’s principles.
Data subject is the term for an individual whose personal data is processed in a situation falling within the GDPR. They are the ‘subject’ of the data processing carried out. In an online advertising context, they are usually what we would call ‘consumers’, ‘customers’, and ‘internet users’.
Consent and Legitimate interests are two types of ‘legal basis’. A legal basis is a justification that is needed under the GDPR in order to do personal data processing. Without a legal basis, processing personal data of EU residents is illegal; but this also applies to any business processing personal data from within the EU, regardless of whether the data is about individuals within the EU.
Consent, as the name suggests, is a legal basis for data processing that relies on individuals giving consent to the company or organisation that wishes to process their personal data. It’s simple enough and straightforward as a concept, but the GDPR specifies four conditions that have to be met before consent can be considered as valid - specific, informed, freely given, and unambiguous.
In the post-GDPR world, many publisher organisations use consent management platforms (“CMPs”) to get consent on behalf of the publisher and its third party advertising partners. Want to learn more? Read our Guidance paper on Consent here.
The Legitimate Interest is a separate legal basis, which does not require up-front consent and has different conditions, namely that the controller can specify their legitimate interest, the data processing in question has to be necessary to achieve the legitimate interest, and the controller must make a balancing test to ascertain whether their data processing is justifiable without the content of the data subject.
It is important to bear in mind that, while the user’s up-front opt-in isn’t necessary, they must still be provided with granular information up front about the types of data being collected, the purpose for that collection, and which third parties will be receiving this data. Authorities will also do a case-by-case analysis to review whether the legitimate interest is valid in case there are investigations or complaints.
The distinction between Controllers and Processors in data protection law is extremely important because it assigns the ultimate responsibility for ensuring the protection of personal data. Controllers are capable of deciding on the means, as well as the purposes of processing personal data. As some of the CJEU judgments show, this concept is interpreted quite broadly under the GDPR, and for many data processing operations there can be multiple joint controllers which must assign among themselves the various responsibilities arising from the GDPR.
A processor is an organisation that is procured by a controller or set of joint controllers in order to do specific tasks for the controller with personal data. They therefore do not decide on the means or the purposes of data processing, but carry it out for the controller. This may be the case where it offers a specific service on behalf of the controller, making use of data provided by the controller.
