Top EU Court Says Meta Must Limit Data For Ad Targeting

Facebook parent Meta must minimise the data on users that it uses for personalised advertising, the EU’s highest court has ruled, backing a challenge by Austrian privacy advocate Max Schrems.

Schrems initially took his case to an Austrian court in 2020, where he alleged he had been targeted by advertisements aimed at gay people on Facebook, even though he had never shared his sexual orientation on the platform.

The Court of Justice for the European Union (CJEU) has now ruled that under EU data protection rules, the company is not allowed to use all the data it collects on users for personalised advertising.

The judges said the principle of data minimisation is contained in the EU’s General Data Protection Regulation (GDPR).

Data minimisation

“An online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data,” the court said.

Under the GDPR data on a person’s sexual orientation, race, ethnicity or health status is classified as sensitive and requires special processing.

GDPR rules have also been incorporated into UK law, although the CJEU’s ruling is not binding for UK courts.

Meta denied using such special category data to target advertisements.

The company said it takes privacy “very seriously” and has invested more than 5 billion euros (£4.2bn) in its privacy controls.

“Everyone using Facebook has access to a wide range of settings and tools that allow people to manage how we use their information,” the company said.

Schrems’ lawyer Katharina Raabe-Stuppnig said the ruling was welcome.

Privacy rules

“Following this ruling only a small part of Meta’s data pool will be allowed to be used for advertising, even when users consent to ads. This ruling also applies to any other online advertisement company that does not have stringent data deletion practices,” Raabe-Stuppnig said.

Austria’s Supreme Court referred questions over how the GDPR applied to Schrems’ case to the CJEU in 2021.

The Austrian court asked whether Schrems referring to his sexual orientation in a public setting meant the information was considered public and could be used to target ads.

The CJEU said it was for the Austrian court to decide if Schrems had made the information “manifestly public data”, but his public reference to his sexual orientation did not mean he authorised processing of any other personal data.

Schrems has taken Meta to court several times over its processing of EU customer data.