UPDATE — SEPTEMBER 2025: Since the Court of Justice of the European Union’s landmark Schrems v. Meta ruling (Case C-446/21) in 2024, the case has continued to reshape EU data protection and the online advertising industry. Meta responded in early 2025 by introducing a “pay or okay” model in Europe. It offers users a choice between a subscription without ads or continuing with a free, ad-supported service. That is, if they consent to personalized tracking. This move has triggered controversy, with regulators and privacy advocates debating whether such paywalls genuinely respect consent under the GDPR.
National data protection authorities, especially in Ireland, Germany, and Norway, have opened investigations into Meta’s compliance, while Max Schrems’ NGO NOYB is challenging the legality of the subscription model, arguing it coerces users into surveillance-based advertising. At the same time, the European Commission has escalated oversight under the Digital Services Act (DSA). Under the DSA, Meta is a designated Very Large Online Platform. Therefore, they face new transparency and risk-mitigation requirements alongside the threat of billion-euro fines.
The Schrems ruling also had ripple effects beyond Meta. Courts in Germany and Austria reinforced that sensitive data disclosed in public cannot be repurposed for profiling, strengthening the principle that personal disclosures must remain tied to their original purpose. Across the industry, companies like TikTok and Google have scaled back microtargeting in the EU, shifting instead toward contextual advertising models.
ORIGINAL NEWS STORY:
Court of Justice of the European Union Rules in Favor of Schrems in Landmark Case Against Meta
The Court of Justice of the European Union (CJEU) has delivered a landmark ruling in Schrems v. Meta (Case C-446/21), setting strict limits on how online platforms process personal data for targeted advertising. The decision marks a turning point for data protection in Europe and poses new challenges for Meta and the broader online advertising industry.
Tightening GDPR Enforcement on Targeted Advertising
The case centered on whether Meta’s long-running practice of using extensive personal data for personalized ads violates the General Data Protection Regulation (GDPR). Meta’s system relies on years of user information collected both on and off Facebook, including data from tracking technologies such as cookies and pixels. Critics have long argued that this model breaches GDPR principles by aggregating too much personal data for commercial purposes.
The CJEU ruled that Meta cannot use personal data for targeted advertising without clear limits on how long and how broadly the data is processed. The Court reinforced the GDPR’s data minimization principle in Article 5(1)(c), which requires companies to use only the information necessary for a specific, defined purpose. This decision significantly restricts the indefinite use of personal data for advertising and forces major changes in how online platforms operate in Europe.
Sensitive Data and the Limits of Consent
Another major aspect of the case involved the use of sensitive personal data. Meta claimed that because Max Schrems publicly discussed his sexual orientation during a panel, it could process related data for advertising. The Court firmly rejected this argument. The CJEU ruled that public disclosure does not equal consent for broader processing. Data shared for one purpose—such as public discussion—cannot be reused to justify unrelated commercial profiling. Even when users consent to personalized advertising, companies must still apply data minimization and ensure that the processing remains necessary and proportionate.
A Major Win for Privacy and Compliance Standards
This decision represents a clear victory for privacy advocates. Max Schrems, who has spent years challenging Meta’s data practices, hailed the judgment as a reaffirmation of the GDPR’s strength. The ruling underscores that companies must respect purpose limitation: personal data can only be used for the reason it was originally collected. The CJEU’s judgment also sends a warning to other tech firms. Publicly available data, even when shared voluntarily, cannot be repurposed without explicit and lawful consent. National courts are now expected to apply these principles consistently across the EU, tightening scrutiny of data-driven advertising models.
Implications for the Tech Industry
The Schrems ruling has far-reaching implications beyond Meta. It compels all digital platforms to rethink their reliance on extensive data collection for ad targeting. Companies must now develop systems that prioritize transparency, data minimization, and user autonomy. For regulators, the case reinforces the GDPR’s role as a global benchmark for data protection and highlights the need for continuous oversight as AI and data-driven technologies evolve.
Need Help?
You might have questions or concerns about how to navigate the global AI regulatory landscape. Therefore, don’t hesitate to reach out to BABL AI. Hence, their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
