Europe’s most celebrated privacy campaigner, Max Schrems, dealt another blow to Meta today after the EU’s highest court ruled that the tech giant cannot operate users’ public statements about their sexual orientation for online advertising purposes.
Since 2014, Schrems has complained about seeing ads on Meta platforms targeting his sexual orientation. Based on data obtained from the company, Schrems claims that advertisers using Meta can infer his sexuality based on proxies such as app logins or website visits. Meta denies it showed Schrems personalized ads based on his non-Facebook data, and the company has long said it excludes any sensitive data it detects from its advertising activities.
The case began with Schrems questioning whether the practice violated European privacy law GDPR. However, the case took an unexpected turn when a judge in his home country of Austria ruled that Meta had the right to operate his sexuality data for advertising purposes because he had spoken about it publicly at an event in Vienna. Then, in 2021, the Austrian Supreme Court referred the case to the EU’s highest court.
Today, the Court of Justice of the European Union (CJEU) finally ruled that a person’s sexual orientation cannot be used in advertising, even if that person publicly talks about being gay.
“Meta Platforms Ireland collects personal data from Facebook users, including Mr Schrems, relating to those users’ activities both on and off the social networking site,” the court said. he said. “Through the available data, Meta Platforms Ireland is also able to identify Mr. Schrems’ interests in sensitive topics such as sexual orientation, which enables it to target him with targeted advertising.”
The court added that the fact that Schrems had spoken publicly about his sexual identity did not authorize any platform to process the related data to offer him personalized advertising.
“We now know that if you are on a public stage, it does not necessarily mean that you consent to the processing of this personal data,” says Schrems, founder of the Austrian privacy group NOYB. He believes that only a handful of Facebook users will have the same problem. “It’s a really, really niche issue.”
The CJEU also ruled today that Meta must more broadly restrict the data it uses for advertising purposes, essentially establishing basic rules for GDPR enforcement. European privacy law means personal data should not be “aggregated, analyzed and processed for the purposes of targeted advertising without time limits and without distinction as to the type of data,” the court said in a statement.
“Establishing ground rules is really important,” says Katharina Raabe-Stuppnig, a lawyer representing Schrems. “Some companies think they can just ignore them and gain a competitive advantage from this behavior.”
Meta said it was waiting for the full CJEU judgment to be published. “Meta takes privacy very seriously and has invested over €5 billion to ensure privacy is at the heart of all our products,” Meta spokesman Matt Pollard told WIRED. “Every Facebook user has access to a wide range of settings and tools that allow people to manage how we use their data.”
Schrems has been vigorous against Meta since his legal challenge resulted in a surprise ruling in 2015 invalidating the transatlantic data transfer system over concerns that U.S. spies could operate it to access EU data. His organization has since filed legal challenges against Meta’s pay-for-privacy subscription model and the company’s plans use Europeans’ data train artificial intelligence.
“This is important for the entire advertising space on the Internet. But for Meta, this is just another violation in a long list,” Schrems says of his latest ruling. “The walls are closing in.”