In a highly anticipated ruling, the Court of Justice of the European Union (CJEU) recently delivered a decisive judgment in the case of Schrems v. Meta (Case C-446/21). The case, which has garnered significant attention, centered on how Meta Platforms (Facebook’s parent company) processes personal data for targeted advertising and whether it has violated the General Data Protection Regulation (GDPR). The ruling imposes strict limitations on the use of personal data for advertising and addresses key issues surrounding privacy and data protection in the digital era.
At the heart of the case was Meta’s long-standing practice of using vast amounts of personal data—collected over years and from multiple sources, both on and off Facebook—to tailor personalized advertisements to users. This data collection extends back to 2004 and includes a wide array of information, from data entered by users to data collected through online tracking mechanisms like cookies and pixels. Meta’s advertising model, which aggregates this data, has faced numerous criticisms regarding its compatibility with the GDPR.
In its ruling, the CJEU emphasized the importance of the GDPR’s data minimization principle, outlined in Article 5(1)(c). The Court stated that online platforms like Facebook cannot use personal data for targeted advertising without restrictions concerning the type of data or the time for which it is stored and used. This decision represents a major blow to Meta’s business model and the broader online advertising industry, as it restricts the indefinite use of personal data for advertising purposes.
The ruling also affirms that even if a user consents to personalized advertising, data must still be minimized, and the use of this data must be necessary for its intended purpose. National courts are expected to implement the specifics of this data minimization principle in practice.
The second issue addressed in the case relates to the processing of sensitive personal data, particularly Mr. Schrems’ public comments about his sexual orientation during a panel discussion. Meta argued that because Mr. Schrems made statements about his sexual orientation in a public forum, this implicitly authorized the company to process data related to his sexual orientation in the context of targeted advertising.
The CJEU rejected this argument, stating that just because Schrems publicly disclosed sensitive information does not mean that Meta can process other personal data related to his sexual orientation without restrictions. The Court noted that the processing of personal data must be directly tied to the purpose for which it was originally shared and cannot be retroactively applied to justify earlier data collection or advertising efforts.
This ruling is a significant victory for privacy advocates, including Max Schrems, who has been at the forefront of legal battles against Meta for years. Schrems’ lawsuits have consistently challenged the legality of Meta’s data practices under European law, and this ruling reinforces the GDPR’s stringent requirements on how personal data can be used.
The ruling serves as a reminder to tech companies that even voluntary public disclosures of sensitive information do not justify broad and unchecked data processing. Businesses must continue to align their practices with the GDPR, especially in terms of data minimization and purpose limitation.
Need Help?
If you have questions or concerns about how to navigate the global AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.