CJEU: Meta must restrict the use of personal data for targeted ads

Today, the Court of Justice of the European Union (CJEU) delivered a landmark ruling restricting the use of personal data for targeted advertising by platforms like Meta, formerly Facebook. That decision stems from a complaint by data privacy advocate Max Schrems, who argued Meta violated the General Data Protection Regulation (GDPR) principles of ‘data minimisation’ and ‘purpose limitation’ when processing users’ data for personalised ads. Consequently, the court has mandated time limits on data usage and stipulated that data must only be utilised for expressly defined purposes under GDPR, impacting the vast data reservoirs companies have accumulated over time.

An essential aspect of the ruling addresses the use of sensitive data, such as publicly shared sexual orientation information, for advertising. Schrems challenged Meta’s adherence to the ‘purpose limitation’ principle when the company used such public data without explicit consent. The court decided that declaring such information publicly does not permit its use for targeted advertising, establishing that public availability does not equate to consent under GDPR. This sets a significant precedent for sensitive data processing and aligns with the broader GDPR framework.

Why does it matter?

The ruling has implications beyond social media advertising, particularly AI training practices. The European Center for Digital Rights (Noyb), founded by Schrems, emphasised that companies like Meta, X (formerly Twitter), and OpenAI often scrape online data to train AI models, frequently diverging from the data’s original intent.

This ruling also highlights the evolving regulatory landscape and the EU’s global data privacy governance leadership. Schrems’ advocacy, informed by past victories in the Schrems I and Schrems II cases, continues to shape strict data privacy standards within Europe, reaffirming the ongoing scrutiny of technology firms’ data practices.