幸运飞行艇官方开奖记录查询 Meta GDPR ruling to force adtech industry to limit data

Austrian privacy activist and lawyer Max Schrems has scored yet another victory in his long-running battle with tech giant Meta over the use of personal data for advertising, in a new court ruling that will have widespread consequences for the entire online ad industry.

The case concerns a civil case between Schrems as an individual, and Meta Ireland Platforms before the Austrian Courts. The case was first filed in 2014 and first fully heard in Austria in 2020 and concerns a large number of GDPR violations, including the lack of a legal basis for advertising.

The Austrian Supreme Court referred the case to the European Court of Justice (ECJ) in 2021 but was paused until earlier this year; the court published its ruling late last week.

The court decided on two questions: first, massively limiting the use of personal data for online advertisements; secondly, limiting the use of publicly available personal data to the originally intended purposes for publication.

At the moment, Meta uses all personal data it has ever collected for advertising. For example, Facebook user data can go back as far as 2004 and include data entered by the user, by other users or data collected via online tracking or tracking on mobile apps.

To prevent such practices GDPR established the principle of “data minimisation”, requiring to limit the processing to strictly necessary data.

However, Meta and many other players in the online advertisement space have simply ignored this rule and did not foresee any deletion periods or limitation based on the type of personal data.

The application of the “data minimisation principle” radically restricts the use of personal data for advertising. The principle of data minimisation applies regardless of the legal basis used for the processing, so even a user who consents to personalised advertising cannot have their personal data used indefinitely. In line with the common practice of the CJEU, the Court left the details of how to implement the data minimisation principle to the national courts.

Katharina Raabe-Stuppnig, the lawyer representing Schrems, said: “Meta has basically been building a huge data pool on users for 20 years now, and it is growing every day. However, EU law requires ‘data minimisation’. Following this ruling only a small part of Meta’s data pool will be allowed to be used for advertising – even when users consent to ads. This ruling also applies to any other online advertisement company, that does not have stringent data deletion practices.”

In addition, under GDPR, information that is “manifestly made public” may be processed by a company, because the legislator assumes that the data subject agreed to the use.

In Schrems case, he claimed he was targeted with ads aimed at gay people despite never sharing information about his sexuality on the platform. He argued that his public comments were made years after the processing of other information took place. His later comments could not be seen as an agreement to the processing of other information years ago and cannot have “traveled” back in time. Other parties to the procedure also questioned if the mere mention of a fact during a public discussion would amount to making such information “manifestly public”.

Katharina Raabe-Stuppnig: “It would have a huge chilling effect on free speech, if you would lose your right to data protection in the moment that you criticise unlawful processing of personal data in public. We welcome that the CJEU has rejected this notion.”

Meta has yet to comment on the ruling, which although only refers to countries in the EU is likely to be adopted by the UK Information Commissioner’s Office.