The European Commission’s second GDPR enforcement report, published in 2024, revealed that fines have surpassed €4.2 billion since the Regulation came into force in 2018. This underscores the increasing scrutiny of data protection compliance and the EU’s commitment to robust enforcement. Alongside high-value penalties, several key rulings from the Court of Justice of the European Union (CJEU) and national authorities have clarified core GDPR principles and enforcement standards.

SCHREMS VS META: DATA MINIMIZATION IN ADVERTISING

In October 2024, the CJEU issued a landmark ruling in the case brought by privacy activist Max Schrems against Meta Platforms (formerly Facebook), addressing how the company processes personal data for personalized advertising.

Background

Meta had been relying on contractual necessity (Article 6(1)(b) GDPR) to justify its behavioral advertising practices, arguing that targeted ads were part of the core service. The case challenged whether this approach was compatible with the GDPR’s principles on lawfulness, necessity, and user consent.

Key Findings

• The Court ruled that advertising is not objectively necessary to fulfill the contract between Meta and its users. As such, Article 6(1)(b) could not be used to justify data processing for ad personalization.

• The court also reinforced the data minimization principle (Article 5(1)(c)), stating that Meta was collecting and processing more data than necessary for this purpose.

• It reaffirmed that valid consent under Article 6(1)(a) must be freely given, specific, informed, and unambiguous – and cannot be bundled with general access to a service.

Implications

This ruling sends a strong message that adtech platforms cannot bypass consent requirements by embedding advertising into contractual terms. Organizations must ensure that consent for tracking and targeting is separate, optional, and clearly presented, and that all data collection is proportionate to the stated purpose.

LINDEN-APOTHEKE CASE: EXPANDING THE DEFINITION OF HEALTH DATA

The CJEU clarified the scope of “special category” personal data in a case involving a German online pharmacy, ruling that data related to online medicine purchases can qualify as “health data” under Article 9 GDPR.

Background

The case involved a pharmacy’s practice of collecting names, addresses, and lists of purchased medications during online orders. The key legal question was whether this seemingly routine customer data constituted health-related information requiring enhanced protection under the GDPR.

Key Findings

• The CJEU ruled that information about medication purchases can indirectly reveal a person’s health status, such as chronic illnesses or mental health conditions.

• When such inferences are possible, the data must be treated as special category data, even if not explicitly marked as “medical.”

• Consequently, this data requires a lawful basis under Article 9(2), typically explicit consent, and may not be processed for commercial use without meeting GDPR’s heightened standards.

Implications

This ruling significantly broadens the types of data considered “health data,” especially in e-commerce, healthcare, and pharmaceutical contexts. Businesses handling similar datasets must apply stricter consent, security, and data minimization protocols or risk regulatory action for mishandling sensitive data.

ROYAL DUTCH LAWN TENNIS ASSOCIATION CASE: LEGITIMATE INTEREST AND MARKETING BOUNDARIES

In this case (C-621/22), the CJEU examined whether a sports association could use the “legitimate interests” legal basis to disclose member data to third parties for marketing purposes.

Background

The Royal Dutch Lawn Tennis Association (KNLTB) had shared member information with sponsors and commercial partners without obtaining explicit consent, relying on Article 6(1)(f) GDPR (legitimate interest) as the legal basis for the data disclosure.

Key Findings

• The Court held that commercial interests such as advertising can qualify as a legitimate interest, but only if the processing is necessary and subject to a rigorous balancing of interests.

• It emphasized the need to assess whether data subjects’ fundamental rights and freedoms override the controller’s interests, particularly where individuals do not reasonably expect their data to be used this way.

• The ruling clarified that the legitimate interest test is not a fallback when consent is unavailable.

Implications

Following the ruling, the European Data Protection Board (EDPB) issued further guidance stating that controllers must clearly document the necessity and proportionality of any processing under Article 6(1)(f). The case sets limits on how far organizations can go in using or sharing personal data for commercial gain without consent, even when no sensitive data is involved.

UBER FINED €290 MILLION FOR UNLAWFUL DATA TRANSFERS

In 2024, the Dutch Data Protection Authority fined Uber €290 million for illegally transferring personal data of EU-based users and drivers to the United States.

Background

This enforcement action follows the Schrems II judgment (CJEU, 2020), which invalidated the EU–U.S. Privacy Shield and set strict conditions on the use of Standard Contractual Clauses (SCCs) for data transfers to third countries lacking adequate protection.

The ruling requires companies to conduct transfer impact assessments (TIAs) and apply supplementary safeguards (e.g., encryption, access restrictions) when exporting data to high-surveillance jurisdictions.

Key Findings

• Uber continued transferring data to the U.S. without properly assessing the legal risks associated with U.S. surveillance laws (e.g., FISA 702).

• The company failed to implement technical or organizational safeguards to mitigate access risks and did not document a compliant transfer risk assessment.

• These actions violated Articles 44-46 GDPR, as Uber could not guarantee an equivalent level of data protection for EU users abroad.

Implications

The case demonstrates that international data transfers remain a major enforcement priority and regulators expect companies to conduct real-world assessments, not theoretical compliance exercises.
The European Commission has announced that updated SCCs will be introduced in 2025, which will place even stricter obligations on organizations exporting personal data to countries outside the EU.

LINKEDIN FINED €310 MILLION FOR MISUSE OF CONTRACTUAL NECESSITY IN AD TARGETING

The Irish Data Protection Commission (DPC) imposed a €310 million fine on LinkedIn for unlawfully relying on contractual necessity to justify processing personal data for personalized advertising.

Background

LinkedIn had argued that behavioral advertising was integral to its business model and thus “necessary for the performance of a contract”, allowing it to use user data for targeted ads without explicit consent under Article 6(1)(b) GDPR.

Key Findings

• The DPC found that personalized advertising is not essential to the core service of providing professional networking features.

• By using contractual necessity as a legal basis, LinkedIn denied users meaningful control over how their data was processed for commercial gain.

• The enforcement decision emphasized that consent – not contract – is the appropriate legal basis for behavioral advertising.

Implications

This case reinforces earlier rulings, including Schrems vs Meta, that companies cannot stretch the concept of “necessity” to cover business interests unrelated to core service delivery. Controllers must clearly separate optional features from contractual obligations and offer users real choice – especially when profiling or third-party data sharing is involved.