UPDATE — SEPTEMBER 2025: Since the Court of Justice of the European Union’s landmark Schrems v. Meta ruling (Case C-446/21) in 2024, the case has continued to reshape EU data protection and the online advertising industry. Meta responded in early 2025 by introducing a “pay or okay” model in Europe, offering users a choice between a subscription without ads or continuing with a free, ad-supported service if they consent to personalized tracking. This move has triggered fresh controversy, with regulators and privacy advocates debating whether such paywalls genuinely respect consent under the GDPR.

National data protection authorities, especially in Ireland, Germany, and Norway, have opened investigations into Meta’s compliance, while Max Schrems’ NGO NOYB is challenging the legality of the subscription model, arguing it coerces users into surveillance-based advertising. At the same time, the European Commission has escalated oversight under the Digital Services Act (DSA), where Meta, as a designated Very Large Online Platform, faces new transparency and risk-mitigation requirements alongside the threat of billion-euro fines.

The Schrems ruling also had ripple effects beyond Meta. Courts in Germany and Austria reinforced that sensitive data disclosed in public cannot be repurposed for profiling, strengthening the principle that personal disclosures must remain tied to their original purpose. Across the industry, companies like TikTok and Google have scaled back microtargeting in the EU, shifting instead toward contextual advertising models.

ORIGINAL NEWS STORY:

Court of Justice of the European Union Rules in Favor of Schrems in Landmark Case Against Meta

In a highly anticipated ruling, the Court of Justice of the European Union (CJEU) recently delivered a decisive judgment in the case of Schrems v. Meta (Case C-446/21). The case, which has garnered significant attention, centered on how Meta Platforms (Facebook’s parent company) processes personal data for targeted advertising and whether it has violated the General Data Protection Regulation (GDPR). The ruling imposes strict limitations on the use of personal data for advertising and addresses key issues surrounding privacy and data protection in the digital era.

At the heart of the case was Meta’s long-standing practice of using vast amounts of personal data—collected over years and from multiple sources, both on and off Facebook—to tailor personalized advertisements to users. This data collection extends back to 2004 and includes a wide array of information, from data entered by users to data collected through online tracking mechanisms like cookies and pixels. Meta’s advertising model, which aggregates this data, has faced numerous criticisms regarding its compatibility with the GDPR.

In its ruling, the CJEU emphasized the importance of the GDPR’s data minimization principle, outlined in Article 5(1)(c). The Court stated that online platforms like Facebook cannot use personal data for targeted advertising without restrictions concerning the type of data or the time for which it is stored and used. This decision represents a major blow to Meta’s business model and the broader online advertising industry, as it restricts the indefinite use of personal data for advertising purposes.

The ruling also affirms that even if a user consents to personalized advertising, data must still be minimized, and the use of this data must be necessary for its intended purpose. National courts are expected to implement the specifics of this data minimization principle in practice.

The second issue addressed in the case relates to the processing of sensitive personal data, particularly Mr. Schrems’ public comments about his sexual orientation during a panel discussion. Meta argued that because Mr. Schrems made statements about his sexual orientation in a public forum, this implicitly authorized the company to process data related to his sexual orientation in the context of targeted advertising.

The CJEU rejected this argument, stating that just because Schrems publicly disclosed sensitive information does not mean that Meta can process other personal data related to his sexual orientation without restrictions. The Court noted that the processing of personal data must be directly tied to the purpose for which it was originally shared and cannot be retroactively applied to justify earlier data collection or advertising efforts.

This ruling is a significant victory for privacy advocates, including Max Schrems, who has been at the forefront of legal battles against Meta for years. Schrems’ lawsuits have consistently challenged the legality of Meta’s data practices under European law, and this ruling reinforces the GDPR’s stringent requirements on how personal data can be used.

The ruling serves as a reminder to tech companies that even voluntary public disclosures of sensitive information do not justify broad and unchecked data processing. Businesses must continue to align their practices with the GDPR, especially in terms of data minimization and purpose limitation.

Need Help?

If you have questions or concerns about how to navigate the global AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.