Europe's most famous privacy activist, Max Schrems, today dealt another blow to Meta after the EU Supreme Court ruled that the tech giant cannot misuse users' public statements about their sexual orientation for online advertising.
Since 2014, Schrems has complained about seeing advertisements on metaplatforms targeting his sexual orientation. Schrems claims, based on data he obtained from the company, that advertisers using Meta can infer his sexuality from proxies, such as his app logins or website visits. Meta denies that it showed Schrems personalized ads based on his data outside of Facebook, and the company has long said it excludes any sensitive data it detects from its advertising activities.
The case started with Schrems contesting whether this practice violated Europe's GDPR privacy law. But things took an unexpected turn when a judge in his home country of Austria ruled that Meta had the right to use his sexuality data for advertising because he had spoken about it publicly at an event in Vienna. The Austrian Supreme Court then referred the case to the EU Supreme Court in 2021.
Today, the Court of Justice of the European Union (CJEU) finally ruled that a person's sexual orientation cannot be used for advertising, even if that person speaks publicly about their homosexuality.
“Meta Platforms Ireland collects the personal data of Facebook users, including Mr Schrems, about those users' activities both on and off that social network,” the court said. “The available data also allows Meta Platforms Ireland to identify Mr Schrems' interest in sensitive topics, such as sexual orientation, allowing it to target advertising to him.”
The fact that Schrems had spoken publicly about his sexual identity does not give any platform permission to process related data to serve him personalized advertisements, the court added.
“Now we know that being on a public stage does not necessarily mean that you agree to the processing of these personal data,” says Schrems, founder of the Austrian privacy group NOYB. He believes only a handful of Facebook users will have the same problem. “It's really a niche problem.”
The CJEU also ruled today that Meta must restrict the data it uses for advertising more broadly, essentially setting ground rules for how the GDPR should be enforced. European privacy law means that personal data may not be “aggregated, analyzed and processed for the purpose of targeted advertising, without limitation in time and without distinction as to the type of data,” the court said in a statement.
“It is very important to set ground rules,” said Katharina Raabe-Stuppnig, the lawyer representing Schrems. “There are companies that think they can simply ignore this and gain a competitive advantage from this behavior.”
Meta says it is waiting for the full publication of the CJEU judgment. “Meta takes privacy very seriously and has invested more than €5 billion to put privacy at the heart of all our products,” Meta spokesperson Matt Pollard told WIRED. “Everyone who uses Facebook has access to a wide range of settings and tools that help people manage how we use their information.”
Schrems has been a prolific campaigner against Meta since a legal challenge he launched resulted in a surprise 2015 ruling that invalidated a transatlantic data transfer system over concerns that US spies could use it to access EU data. His organization has since filed legal complaints against Meta's pay-for-privacy subscription model and the company's plans to use Europeans' data to train its AI.
“It is of great importance for the entire online advertising space. But for Meta it is just another violation in the long list of violations they have,” says Schrems about this latest statement. “The walls are closing in.”