The Austrian Supreme Court ruled on October 5, 2023, that Meta Platforms, Inc.’s personalized advertising practices violate the European Union’s General Data Protection Regulation (GDPR). The court determined that Meta failed to obtain explicit consent from users regarding the use of their personal data, which is a requirement under EU law. This landmark decision could significantly impact Meta’s operations in Europe and enforce stricter compliance with data protection regulations.
According to the court, Meta’s reliance on the concept of “legitimate interests” to process user data for targeted advertising does not suffice. The justices concluded that personalized ads serve as a financing mechanism for the company, rather than an essential aspect of its social networking services. This distinction is crucial as it underscores the necessity for user consent in such cases.
In a decisive move, the court ordered Meta to provide plaintiff Max Schrems with comprehensive access to all personal data the company processes regarding him. This includes the sources of the data, the purposes for which it is utilized, and the specific recipients to whom it has been disclosed. Meta must comply with this order within 14 days of the ruling.
The court also rejected Meta’s argument that its existing “Download Your Information” tools fulfilled users’ rights under the GDPR. The justices found that merely providing summaries or filtered data does not meet the regulatory standards for data access. Furthermore, Meta’s attempts to limit disclosure by citing trade secrets were dismissed, as the company failed to substantiate these claims during the proceedings.
The ruling also addressed the processing of sensitive personal data, such as political opinions, health information, and sexual orientation. The court stated that Meta is prohibited from processing such sensitive data without explicit, informed, and freely given consent from users.
Reacting to the decision, Max Schrems, a prominent privacy activist who initiated the lawsuit, emphasized that the ruling reinforces the necessity for Meta to adhere to EU laws when managing user preferences. He criticized the company’s long-standing claims of not processing sensitive data, asserting that the court’s decision clarifies that Meta cannot utilize user preferences without obtaining explicit consent.
The Austrian lawyer representing Schrems, Sarah Raabe-Stuppnig, described the judgment as unprecedented in scope. She noted, “It took eleven years, but now there is a final ruling that Meta must provide unprecedented access to all data it has ever collected about Mr. Schrems.” Raabe-Stuppnig added that the ruling is enforceable throughout the EU.
In addition to mandating compliance with data access obligations, the court awarded €500 in non-material damages to Schrems for Meta’s failure to provide timely and lawful access to his data. Raabe-Stuppnig remarked that this amount establishes a realistic “lower-end market” for many other pending cases across Europe.
This ruling concludes an extensive legal battle that began in 2014, characterized by numerous procedural hurdles, including earlier refusals by regional courts to hear the case and disputes regarding Schrems’ status as a consumer. The case reached the Austrian Supreme Court three times and prompted two preliminary rulings from the Court of Justice of the European Union, with total litigation costs surpassing €200,000.
Meta now faces a court-enforced deadline of December 31, 2025, to provide Schrems with complete access to his personal data, setting a significant precedent for data privacy rights in Europe and potentially influencing similar cases in the future.
