CJEU declares Meta’s GDPR approach illegal

CJEU has ruled that Meta violated the GDPR, and that it cannot process personal data beyond essential services without explicit user consent. The CJEU rejected Meta’s arguments for alternative legal grounds and emphasized the importance of consent for activities beyond essential functions.


Meta’s handling of the General Data Protection Regulation (GDPR) has been deemed unlawful by the Court of Justice of the European Union (CJEU). The CJEU has specified that Meta cannot process personal data beyond what is essential for its core services, such as messaging and content sharing, without obtaining explicit and equitable consent from users. The court examined all six legal bases for data processing outlined in the GDPR and emphasized the requirement for consent when conducting activities beyond essential functions. The CJEU’s decision aligns with the perspectives of the European Data Protection Board (EDPB) regarding Meta’s tactics to bypass GDPR.

Meta tried to bypass the requirement for consent by relying on alternative legal grounds for data processing. The CJEU thoroughly examined each of these grounds, highlighting the significance of consent. The court rejected Meta’s argument that tracking and online advertising were contractual obligations under the GDPR. The CJEU emphasized that contractual necessity should be interpreted narrowly, allowing only absolutely necessary actions.

Moreover, Meta’s attempt to justify personalized advertising under the legal basis of “legitimate interest” according to Article 6(1)(f) of the GDPR was unsuccessful. The CJEU clarified that users’ rights precede any legitimate interests data controllers claim regarding personalized advertisements. As a result, the EU controllers are effectively restricted from conducting personalized advertising without obtaining explicit consent from users.