The European Union's Supreme Court has upheld a privacy challenge to Meta's data retention policy. The court ruled Friday that social networks such as Facebook cannot continue to use people's information for ad targeting indefinitely.
The ruling could have a major impact on how Meta and other ad-funded social networks operate in the region.
In order to comply with the data minimization principles contained in the Block's General Data Protection Regulation (GDPR), limits on the retention period of personal data must be applied. Violating this regime can result in fines of up to 4% of annual global turnover, and in Meta's case, billions of dollars in fines. Already at the top of the Big Tech leaderboard (GDPR violators).
The CJEU's judgment builds on an earlier opinion on the case published by the Court's Counsel in April, which also upheld restrictions on the retention of personal data for ad targeting.
Asked for a response, Meta spokesman Matt Pollard said the company was awaiting a full verdict.
“We are awaiting announcement of the court's decision and will share more in due course,” he told TechCrunch via email. “Meta takes privacy very seriously and has invested more than €5 billion to embed privacy at the heart of all our products. You have access to a wide range of settings and tools that let you manage how you use it.
Ad tech giants make money by tracking and profiling users of social networks, both on their own services and on the web, through networks of tracking technologies such as cookies, pixels, and social plugins in order to sell microtargeted ads. I'm raising it. service. As a result, any limitations on your ability to continually profile web users in key areas of your business can hurt your bottom line.
Last year, Meta suggested that around 10% of global advertising revenue was generated in the EU.
Schrems vs. Facebook’s new success
The CJEU's decision followed a referral from an Austrian court in which European privacy activist Max Schrems had challenged Facebook's data collection and legal basis for advertising.
In a statement released by noyb, a nonprofit organization that protects Schrems' privacy rights, Schrems' lawyer Katharina Rabe-Stupnig commented on the victory, saying, “This outcome was highly anticipated. However, we are very satisfied with this ruling.”
“Meta has basically been building a huge data pool about its users for 20 years, and that data is growing every day. However, EU law requires ‘data minimization’. As a result of this ruling, only a small portion of Meta's data pool will be available for advertising, even if users consent to advertising. “This ruling also applies to other online advertising companies that do not have strict data deletion practices,” she added.
According to noyb, Meta's first foray into the advertising business dates back to 2014, but it only really gained traction in Austria in 2020. The Austrian Supreme Court subsequently referred several legal issues to the CJEU in 2021. Some were answered through a separate challenge to Meta/Facebook in the July 2023 CJEU judgment. The ruling overrode the company's ability to claim a “legitimate interest” in processing people's information. Data for advertising. The remaining two questions are currently being dealt with by the CJEU. And it's even worse news for Meta's surveillance-based advertising business. Restrictions apply.
The CJEU summarized this part of the judgment in a press release, writing: “Online social networks such as Facebook cannot use all of the personal data they obtain for targeted advertising purposes, without time limits or distinctions of type” data. “
This ruling appears to be important given how advertising businesses such as Meta operate. To put it bluntly, as far as they're concerned, the more data they can get, the better.
Dating back to 2022, an internal memo authored by a Meta engineer and obtained by Vice's Motherboard compared the company's data collection practices to throwing an ink bottle into a vast lake, citing a lack of controls over the company's aggregation of personal data. It was suggested that it was not suitable for collecting personal data. Silo different types of data or enforce data retention limits.
Meta claimed at the time that the document “does not describe our extensive processes and controls for complying with privacy regulations.”
It remains to be seen how ad tech giants will need to amend their data retention practices in the wake of the CJEU ruling. However, it is clear that the law has its limits. “[Advertising]companies need to develop data management protocols to gradually remove or stop using unnecessary data,” suggests noyb.
Further use of sensitive data is prohibited
The CJEU also considered a second question posed by the Austrian court as part of the Schrems case. This concerns sensitive data that is “explicitly disclosed” by a data subject and whether sensitive characteristics can therefore be used for advertising targeting.
The court upheld the GDPR's purpose limitation principle and ruled that this could not be done.
“It would have a profound chilling effect on free speech if the moment one criticized the illegal processing of personal data in a public forum, it would have a profound chilling effect on free speech,” Rabe-Stupnig wrote. rejected this idea.'' ”
Asked about Meta's use of so-called special category data, Pollard said the company uses this information for ad targeting, as sensitive personal information such as sexual orientation, health data and religious views is known under EU law. claimed not to have processed it.
“We do not use special categories of data you provide to personalize ads,” he wrote. “Also, our terms prohibit advertisers from sharing sensitive information, and we exclude any sensitive information that may be detectable. Additionally, our terms prohibit advertisers from sharing sensitive information, and we exclude any sensitive information that may be detectable. We have taken steps to remove targeting options for advertisers.
This part of the CJEU ruling could have relevance beyond the very operation of social media services, as tech giants, including Meta, have recently been keen to reuse personal data as material for AI training. be. Scraping the internet is another tactic used by AI developers to obtain the vast amounts of data needed to train large-scale language models and other generative AI models.
In both cases, acquiring people's data for a new purpose (AI training) could violate the GDPR's purpose limitation principle.
