Austrian Supreme Court has ruled that Meta’s personalized advertising practices violate European Union data protection laws. On Thursday, the court determined that Meta failed to obtain consent from users in a manner that complies with the General Data Protection Regulation (GDPR). This decision marks a significant shift in how user data can be utilized for targeted advertising in Europe.
The ruling specifically highlighted that Meta cannot rely on its current practices to process user data without explicit consent. The court concluded that personalized ads serve as a financing mechanism rather than being integral to the social networking service itself. This distinction is critical, as it emphasizes the need for clear and unambiguous consent from users regarding the use of their personal information.
In a noteworthy directive, the court ordered Meta to provide plaintiff Max Schrems with a complete copy of all personal data processed about him. This includes detailed information on the sources of the data, its intended purposes, and the specific recipients who have received this data. Meta must comply with this order within 14 days of the decision.
Legal Implications and User Rights
The Supreme Court’s judgment rejected Meta’s argument that the existing “Download Your Information” feature met the GDPR’s access requirements. The court found that summaries or filtered disclosures do not fulfill the legal obligations set out in the regulation. Moreover, Meta’s attempts to limit the disclosure of information by claiming trade secrets were dismissed, as the company could not substantiate those claims during the trial.
The ruling addressed the processing of sensitive personal data under the GDPR, which includes information related to political opinions, health, and sexual orientation. The court determined that Meta is prohibited from processing such data without the explicit, informed consent of users. This includes data collected via third-party social plugins. The court also rejected Meta’s defense that it does not intentionally collect sensitive information or that it is technically unable to separate such data from other categories.
Privacy activist Max Schrems, who initiated the case, expressed that the ruling confirms the necessity for Meta to adhere to EU law in managing user data. He emphasized that the decision clarifies that Meta must not utilize user preferences without obtaining explicit consent from each individual. Raabe-Stuppnig, the Austrian lawyer representing Schrems, characterized the judgment as unprecedented. She noted, “It took eleven years, but now there is a final ruling that Meta must provide unprecedented access to all data it has ever collected about Mr. Schrems,” adding that, “the ruling is directly enforceable throughout the EU.”
Conclusion of a Prolonged Legal Battle
In addition to mandating compliance with data access obligations, the court awarded €500 in non-material damages to Schrems for Meta’s failure to provide timely and lawful access to his data. Raabe-Stuppnig remarked that this amount could establish a baseline for similar cases pending across Europe.
This decision concludes an extensive 11-year legal battle initiated in 2014, characterized by numerous procedural challenges, including early refusals by Austrian regional courts and disputes regarding Schrems’ status as a consumer. The case reached the Austrian Supreme Court on three separate occasions and prompted two preliminary rulings from the Court of Justice of the European Union before finally being resolved. The total litigation costs exceeded €200,000.
Meta now faces a court-enforced deadline of December 31, 2025, to provide Schrems with complete access to his personal data, setting a new precedent for data protection practices across the European Union.
