Personal data, EU Court of Justice verdict: Meta cannot store them without time limits and users’ explicit consent

Brussels –  Digital platforms cannot use personal data for advertising without restriction as to time and without distinction as to the type of data. The Court of Justice of the European Union (CJEU), the EU’s highest court, today (Oct. 4) established this in a case brought by Austrian activist Maximilian Schrems in 2020. The issue, in essence, was whether or not Meta (the parent company of Facebook, Instagram, and Whatsapp) breached the EU regulation on data processing (General Data Protection Regulation, GDPR), which the US giant collects extensively to sell to advertisers.

In the end, the CJEU judges agreed with Schrems, a well-known privacy activist, following the (non-binding) opinion expressed in April by the Court’s Advocate General, Athanasios Rantos, who had sided with the plaintiff. In the case at hand, the CJEU ruled that platforms are not allowed to use data about users obtained externally or from third parties, not even in cases where they have been made public by the users. Specifically, the fact that Schrems had spoken about his sexual orientation at a public event (offline) does not allow Meta to process this data “with a view to aggregating and analyzing those data, in order to offer him personalized advertising” unless he had explicitly consented to its processing by the social network – consent that was instead convincingly denied.

In short, platforms can only use data that users disclose directly, and the processing of which is expressly authorized. In addition to this, the Court also reiterated that a social network “cannot use personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data.” That is to say, data collected by platforms in compliance with the GDPR have an expiration date, especially particularly sensitive ones – such as those concerning sexual orientation, religious profession, political beliefs, and so on.

Katharina Raabe-Stuppnig, Schrems’ lawyer, said she was “very pleased with the ruling,” even though widely expected. “Meta has been building an enormous pool of user data for 20 years, which is growing by the day,” she said, noting that this stands in open conflict with European law that requires so-called “data minimization,” meaning the collection, processing, and storage only of data that is truly indispensable for a well-defined purpose.  The CJEU’s decision, which will apply to all online advertising companies, effectively strengthens the regulatory framework introduced by the GDPR.

After all, it is not the first time the Austrian activist has won judicial victories against Meta. In two separate trials in 2013 and 2018, Schrems successfully challenged user data transfer agreements between the EU and the United States.