Europe’s most famous privacy activist, Max Schrems, today dealt another blow against Meta after the EU’s top court ruled that the tech giant cannot exploit users’ public statements about their sexual orientation for online advertising.
Since 2014, Schrems has complained about seeing advertising on Meta platforms targeting his sexual orientation. Schrems says, based on data he obtained from the company, that advertisers using Meta can infer your sexuality from indicators such as your app logins or website visits. Meta denies showing Schrems personalized ads based on its data outside of Facebook, and the company has long said it excludes any sensitive data it detects from its advertising operations.
The case began when Schrems questioned whether this practice violated the European privacy law GDPR. But it took an unexpected turn when a judge in his home country, Austria, ruled that Meta had the right to use his sexuality data for advertising because he had spoken about it publicly during an event in Vienna. The Austrian Supreme Court subsequently referred the case to the EU’s top court in 2021.
Today, the Court of Justice of the European Union (CJEU) finally ruled that a person’s sexual orientation cannot be used for advertising, even if that person speaks publicly about being gay.
“Meta Platforms Ireland collects the personal data of Facebook users, including Mr Schrems, in relation to those users’ activities both on and off that social network,” the court said. saying. “Using the data at its disposal, Meta Platforms Ireland can also identify Mr Schrems’ interest in sensitive topics such as sexual orientation, allowing it to target targeted advertising at him.”
The fact that Schrems had spoken publicly about his sexual identity does not authorize any platform to process related data to offer him personalized advertising, the court added.
“We now know that being in a public setting does not necessarily mean that you agree to this personal data being processed,” says Schrems, founder of the Austrian privacy group NOYB. He believes that only a handful of Facebook users will have the same problem. “It’s a very, very specific problem.”
The CJEU also ruled today that Meta has to limit the data it uses for advertising more broadly, essentially setting ground rules for how the GDPR should be enforced. Europe’s privacy law means that personal data must not be “aggregated, analyzed and processed for the purposes of targeted advertising without time restriction and without distinction of type of data,” the court said in a statement.
“It is very important to establish ground rules,” says Katharina Raabe-Stuppnig, a lawyer at Schrems. “There are some companies that think they can ignore them and gain a competitive advantage with this behavior.”
Meta said he was waiting for the CJEU ruling to be published in full. “Meta takes privacy very seriously and has invested more than €5 billion to embed privacy at the core of all our products,” Meta spokesperson Matt Pollard told WIRED. “Everyone who uses Facebook has access to a wide range of settings and tools that allow them to manage how we use their information.”
Schrems has been a prolific campaigner against Meta since a legal challenge he brought resulted in a surprise ruling in 2015 that invalidated a transatlantic data transfer system over concerns that US spies could use it to access EU data. His organization has since filed legal complaints against Meta’s pay-for-privacy subscription model and the company’s plans to use data from Europeans to train your AI.
“It is important for the entire online advertising space. But for Meta, it is just another in the long list of violations they have,” says Schrems, about this latest sentence. “The walls are closing.”