Do you really need my title? The CJEU says no – a win for consumer privacy in case C‑394/23 – Go Health Pro

(Source: Freepik)

Have you ever been asked about your title while purchasing something online? It’s a common practice, but most of us (consumers) don’t realise that it raises concerns from a data protection perspective, especially when the seller requires us to provide this information and does not allow us to skip the form field and place the order without disclosing our gender. This practice was challenged by the French association Mousse in proceedings against the French Data Protection Authority (Commission nationale de l’informatique et des libertés, CNIL) and the French railway operator SNCF Connect, eventually resulting in a preliminary ruling by the Court of Justice of the EU (Case C‑394/23).

 

The facts


SNCF Connect sells rail travel documents such as train tickets and discount cards via its website and mobile applications. When purchasing these products, customers are required to indicate their title by selecting either Monsieur (Mr) or Madame (Ms). This requirement raised Mousse’s concerns about its compliance with the General Data Protection Regulation (GDPR).


The association filed a complaint with CNIL, arguing that the collection of titles lacked a valid legal basis under Article 6(1) GDPR, violated the data minimisation principle under Article 5(1c), and failed to meet the transparency and information obligations set out in Article 13 GDPR. The CNIL rejected the complaint, concluding that collecting titles was justified as necessary for the performance of a contract under Article 6(1b) and aligned with accepted norms of personalised communication (paras. 13–15). Mousse appealed the decision to the French Conseil d’État, which referred several preliminary questions to the CJ.

The ruling


The Court of Justice essentially said “no” to this kind of data processing. It did not declare that the processing of title-related personal data is categorically prohibited under the GDPR, but stressed that in the specific context of this case, it “does not appear to be either objectively indispensable or essential to enable the proper performance of the contract” concluded with the consumer (para. 39).

Here are the key takeaways from the judgment:


1. The Court focused its analysis on Articles 6(1b) and 6(1f) GDPR, which establish when data processing is lawful. Article 6(1b) allows processing when it is “necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”, while Article 6(1f) permits it if it serves a legitimate interest of a controller or a third party, provided that interest is not overridden by the data subject’s fundamental rights and freedoms.

The Court made it clear that when relying on contractual necessity under Article 6(1b), the controller must show that the processing is “objectively indispensable for a purpose that is integral to the contractual obligation intended for the data subject” (para. 33). In other words, the controller must demonstrate that the processing “must be essential for the proper performance of the contract concluded between the controller and the data subject and, therefore, that there are no workable, less intrusive alternatives” (para. 34). Applying this to the case at hand, the Court rejected the CNIL’s and SNCF’s claim that collecting customers’ titles is necessary for personalised commercial communication, and that such communication is an essential part of the contract. According to the Court:

“Commercial communication may constitute a purpose forming an integral part of the contractual service concerned, since the provision of such a rail transport service involves, in principle, communicating with the customer in order, inter alia, to send him or her a travel document by electronic means, to inform him or her of any changes affecting the corresponding journey, and to allow exchanges with the after-sales service. That communication may require adherence to accepted practices and may include, in particular, forms of addressing a customer, in order to show that the undertaking concerned respects its customer and thereby to safeguard that undertaking’s brand image. However, it appears that such communication does not necessarily have to be personalised based on the gender identity of the customer concerned” (paras. 37–38).

In short, personalising content is not necessary if the same service can be provided in a standard, non-personalised way. The controller could instead use more privacy-friendly alternatives, such as generic and inclusive forms of address that do not rely on the consumer’s assumed gender identity (para. 40).

2. Furthermore, the systematic and generalized processing of consumers’ titles cannot be justified by the mere fact that some of them use the services of night trains, even if it is necessary to adapt transport services for night trains, which have carriages reserved for persons with the same gender identity, and to assist passengers with disabilities. In the Court’s view, it does not justify the collection of titles of all customers, including those who travel during the daytime or who do not have disabilities. Such a practice is disproportionate and contrary to the principle of data minimization (para. 42).

3. As it regards the ‘legitimate purposes’ prerequisite, the Court found that personalised commercial communication can be achieved by using customers’ first and last names alone, since requiring their title or gender identity is not strictly necessary, particularly in light of the data minimisation principle (para. 55). Moreover, it’s important to note that Article 6(1f) GDPR does not allow “common practices or social conventions” to justify the necessity of processing personal data (para. 56).

4. Finally, the fact that data subjects may object to the processing under Article 21 GDPR is irrelevant in this context. According to the Court, this opt-out mechanism should not be taken into the account while assessing whether the original data collection was lawful (para. 70). To put it simply, controllers cannot justify collecting unnecessary personal data by simply allowing individuals to object afterward. While the right to object is an important safeguard, it does not give controllers a free pass to collect data first and handle objections later.

Our comment


The judgment has a direct impact on the practices of certain data controllers who, without a valid legal basis, collect excessive data concerning consumers’ titles and gender identity, where such information is not necessary for the purposes of processing. The CJ ruling serves as a clear reminder that personal data must be processed in accordance with the principle of data minimisation, meaning that only data strictly necessary to achieve the intended purpose should be collected and used.

Importantly, the Court did not declare that the collection of such data is absolutely prohibited under the GDPR. Rather, it emphasised that lawfulness depends on the specific context. For example – although not stated explicitly, this can be inferred from the reasoning – a controller may process such data on the basis of the data subject’s consent. In that case, a form used by the consumer to conclude a contract could include an optional field allowing the individual to indicate a preferred form of address. Crucially, this field would not be mandatory: if the consumer wished to provide that information, they could do so; if not, they could simply skip it without consequence. 

PS. In the context of this judgment, it is also worth drawing attention to another recent CJEU decision (case C‑247/23) which likewise concerned the processing of gender identity data. In that case, the Court reaffirmed that one of the fundamental duties of a data controller is to ensure the accuracy of the personal data processed. If a data subject exercises its right to rectification, the controller should not impose disproportionate administrative burdens that unjustifiably hinder the exercise of that right. The case involved a request to update the gender information in a public register maintained by a Hungarian authority. The individual, registered as female, sought to have the record amended to reflect his male gender, submitting medical documentation to support the request. The authority, however, demanded proof of surgical gender reassignment – a requirement the CJ found excessive and incompatible with the essence of fundamental rights, including the rights to personal integrity and respect for private life.

Leave a Comment

x