The judgment also addressed a key case regarding the processing of special categories of personal data—namely sensitive information such as sexual orientation. While Mr. Schrems had openly declared his orientation in a public forum, the Court held that this did not constitute valid consent for Meta to collect additional sensitive information from external sources—cookies, affiliates, offline behavior—for advertising purposes. This confirms a strict application of Article 9 GDPR, requiring explicit and specific consent that cannot be inferred from mere public disclosure.
Legitimate interest as a legal basis: Towards a structured model
Alongside this strict view on minimisation, the CJEU has developed a deeper doctrinal analysis of legitimate interest (Article 6.1.f GDPR). While less publicised, its practical impact is significant. In Case C-621/22, involving a sports association using member data for advertising, the Court concluded that although legitimate interest may justify processing without explicit consent, it must undergo a rigorous proportionality test: the basis must be lawful, necessary, and proportionate considering the data’s nature, the relationship context, and the reasonable privacy expectations of the individual. This creates a concrete obligation for data controllers to rigorously document each case through real impact assessments on the rights of the data subject.
The dual approach—strict minimisation and heightened scrutiny of legitimate interest—means that controllers must build operational justification based on robust internal protocols, including data mapping, retention limits, and documented necessity assessments. Thus, the CJEU case law narrows lawful data use without halting business operations, provided conditions are reasonable and verifiable.
Right to be forgotten: Doctrinal evolution toward active protection
Since the landmark “Google Spain” ruling (C-131/12, 2014) and the territorial clarification in “Google France” (C-507/17, 2019), the right to be forgotten has gradually expanded in scope and function. The most recent milestone is Judgment C-460/20 of December 8, 2022, issued by the CJEU Grand Chamber, which shifts toward proactive protection against inaccurate or harmful search engine indexing.
A key development is that no final court ruling is required to request link removal when the linked content is manifestly inaccurate. While the applicant must provide reasonable, verifiable evidence, the search engine must independently weigh the individual’s rights against any public interest in the information.
Previously, in practice, platforms like Google often denied delisting requests lacking a prior court decision. This deferred judgment entirely to judicial bodies, avoiding any substantial responsibility. The CJEU now rejects that view, obliging search engines to evaluate requests reasonably based on submitted documentation.
This reinforces Article 17 GDPR: the right to be forgotten extends beyond outdated data to include inaccurate or unverifiable information. The ruling also emphasises the impact of associated image thumbnails, recognising their potential to amplify harm. Search engines must limit or suppress graphic elements when they worsen the impact of linked content.
Ultimately, this case law shift transforms professional practice. Legal requests to delist from search engines can no longer be dismissed for lacking court rulings—they must be assessed in substance. This strengthens citizens’ rights and enhances lawyers’ role in defending digital rights proactively.
Technical and documentary framework: Rights and duties of controllers
The CJEU’s rulings impose operational standards that go beyond formal GDPR interpretation. Controllers must implement an active data minimisation programme with automatic deletion protocols, periodic reviews, and differentiated criteria for sensitive data under Article 9. Additionally, legal bases must be documented with detailed assessments reflecting business needs and proportionality versus individual rights.
Moreover, courts now require internal procedures to handle right-to-be-forgotten requests, including contextual reviews of links, images, and metadata. While the burden of proof lies mainly with the data subject, search engines must conduct a reasoned and balanced assessment and maintain technical systems to ensure effective blocking within the EU.
Towards a legally rigorous and technological approach
The CJEU strengthens a data protection model that blends legal rigor and technical capability. Controllers must implement active data deletion, document legitimate interest analyses, and ensure right-to-be-forgotten compliance for links and images. Technologically, territorial blocking and traceability systems are essential.
Although this evolution increases operational complexity and documentation obligations, it also builds public trust. Legal advisors must now equip organisations with compliance tools and technologies that prove GDPR adherence.
In this context, specialised legal guidance is essential to ensure compliance and protect digital rights effectively. At Navas&Cusí, you can rely on an expert lawyer in EU law to advise you on GDPR-related conflicts and European case law. Our team combines legal expertise and tech-savviness to offer tailored solutions. Trust professionals with proven experience before the CJEU.
