By judgment from 9 January 2025 in Case C‑394/23 the Court of Justice (CJEU) rules that the processing of personal data relating to the title of the customers of a transport undertaking is not necessary and might even be not legally grounded.
Titles whose purpose is to personalize commercial communication based on their gender identity, do not appear to be either objectively indispensable or essential to enable the proper performance of a contract, says CJEU. Therefore, they cannot be regarded as necessary for the performance of that contract or as essential for the legitimate interests pursued by the data controller or by a third party, where those customers were not informed of the legitimate interest pursued when those data were collected; the processing is not carried out only in so far as is strictly necessary for the attainment of that legitimate interest; or in the light of all the relevant circumstances, the fundamental freedoms and rights of those customers can prevail over that legitimate interest, in particular because of a risk of discrimination on grounds of gender identity.
Association Mousse, an organization that fights against gender discrimination, challenged the practice of SNCF Connect, the French railway company, before the French data protection authority (CNIL), arguing that requiring customers to specify their title (e.g., "Monsieur" or "Madame" / "Mr" or "Ms") when purchasing tickets online violates the General Data Protection Regulation (GDPR). Mousse believes this requirement violates the principle of data minimization, as the title, which indicates gender identity, does not appear necessary for purchasing a rail ticket.
In 2021, the CNIL rejected the complaint, determining that the practice did not breach the GDPR. Mousse disagreed with the decision and appealed to the French Council of State, requesting that the decision be annulled. The Council of State referred the case to the CJEU, asking whether the collection of data regarding titles (specifically ‘Monsieur’ or ‘Madame’) can be considered lawful and compliant with the principle of data minimization, particularly when this data is used for personalized commercial communication, in line with common practices in the sector.
The CJEU reaffirmed the principle of data minimization, emphasizing that data collected must be adequate, relevant, and limited to what is necessary based on the purposes for which it is processed. The CJEU also reiterated that the GDPR outlines a strict and exhaustive list of circumstances under which personal data processing can be considered lawful. This includes situations where processing is (i) necessary for fulfilling a contract with the data subject or (ii) necessary for the legitimate interests pursued by the data controller or a third party.
Regarding the first justification, the CJEU stressed that for data processing to be deemed necessary for the performance of a contract, it must be objectively indispensable to fulfill that contract. In this case, the CJEU found that personalizing commercial communication based on gender identity, inferred from the customer's title, was not objectively necessary for the proper performance of a rail transport contract. The railway company could instead use generic, inclusive language in addressing customers, which would be less intrusive and equally effective.
On the second justification, the CJEU, referencing its established case law, stated that processing data on customers' titles to personalize communication-based on gender identity cannot be considered necessary if (i) customers were not informed of the legitimate interest pursued during data collection; (ii) the processing is not limited to what is strictly necessary to achieve that legitimate interest; or (iii) the fundamental rights and freedoms of customers, especially in terms of potential gender identity discrimination, outweigh that legitimate interest.
The CJEU’s analysis is interesting (probably to a very specialized, narrow audience dedicated to the regulation of personal data protection) and, to some extent, well-reasoned and in conformity with the letter of law. However, the judgment raises a number of questions as well:
What exactly is the risk level associated with using titles, and to what extent are the rights and interests of the data subjects violated?
Is there really no legitimate interest on the part of the railway company in considering the gender identity of its passengers? (For example, by doing so, it could improve its services during travel by providing specific additional comforts related to a particular gender, such as hygiene products or pregnancy care, etc.).
Where is the line between the actual risk of discrimination and providing good services?
Against the backdrop of such significant gaps in the application and practice of GDPR by individual Member States, which relate to business development, innovation, and the rights of data subjects - How is such judgment helpful for society in applying the legal provisions without feeling overwhelmed by excessive regulatory pressure?
If it is not legally justified to use the titles "Ms." and "Mr." when purchasing travel tickets, is the use of these titles by the train staff when addressing travelers also a violation of the principles of data minimization?
All questions without answers... and a judgment that undoubtedly reflects a strict interpretation of the norms, without, however, safeguarding or rationalizing the purpose of the law.
By Irena Georgieva, Managing Partner, PPG Lawyers
