In a landmark decision, the top court in the European Union has ruled that Facebook parent company Meta cannot use personal data gathered from its own platforms or from external sources for targeted advertising without adhering to strict limits and restrictions under the bloc’s privacy laws.
Schrems had accused Facebook of processing his sensitive personal data to serve him with targeted ads in violation of the GDPR, specifically the data minimization rule, which requires companies to limit the amount of personal data collected and stored to what is strictly necessary.
The court sided with Schrems, stating that Meta’s data practices violated GDPR principles. Meta, according to the court, aggregated and processed vast amounts of user data for advertising purposes without appropriate restrictions on time or the type of data involved.
The judges wrote in their ruling that the relevant provisions of the GDPR “must be interpreted as meaning that the principle of data minimisation provided for therein precludes any personal data obtained by a controller, such as the operator of an online social network platform, from the data subject or third parties and collected either on or outside that platform, from being aggregated, analysed and processed for the purposes of targeted advertising without restriction as to time and without distinction as to type of data.”
The court’s decision highlighted that Meta cannot process user data indefinitely, as it had been doing—even data from users who consent to personalized ads.
Katharina Raabe-Stuppnig, Schrems’s lawyer, expressed satisfaction with the ruling, while emphasizing the wider implications of the decision for the online advertising industry. She noted that other companies operating without stringent data deletion practices will also be affected.
In response to the court’s decision, Meta issued a statement saying it was reviewing the judgment while reaffirming its stated commitment to privacy.
“Everyone using Facebook has access to a wide range of settings and tools that allow people to manage how we use their information,” the company said in the statement, adding that it “takes privacy very seriously.”
The ruling is the latest setback for Meta in Europe. The tech giant has faced numerous legal and regulatory challenges there in recent years, and has been at the center of multiple investigations, particularly regarding compliance with the GDPR.