Case Summary and Outcome

The Court of Justice of the European Union delivered a judgment reinforcing key data protection principles by holding that the operator of an online social network (e.g., Meta Platforms Ireland) cannot process user data for targeted advertising in an unrestricted manner. The case arose from a user’s complaint (e.g., Maximilian Schrems) about the platform’s extensive collection of his data, both from his activity on the network and his browsing on third-party websites, which was used to create detailed profiles for personalized ads. The Court ruled that the principle of data minimization prohibits the unlimited aggregation and processing of all personal data held by a platform for advertising purposes, regardless of the data’s sensitivity. It further held that even when an individual has publicly disclosed sensitive information, such as their sexual orientation, this does not grant the platform carte blanche to process all other data related to that sensitive category for targeted advertising.

---

Facts

Maximilian Schrems is a user of the online social network Facebook, whose services in the European Union are managed by the defendant, Meta Platforms Ireland Limited (hereinafter “Meta”). Meta is the controller of the personal data of Facebook users in the EU, and it does not maintain a physical branch in Austria. Until November 5, 2023, Facebook provided its services free of charge to private users. From November 6, 2023, the service remained free only for users who consented to their personal data being used for personalized advertising; otherwise, users could pay for a subscription to access an ad-free version. Facebook’s business model is financed through online advertising tailored to individual users based on detailed profiles created from their data.

For processing personal data, Meta relied on the contract of use that users accept by clicking “register” and agreeing to the general terms of use. At the time of the facts in the main proceedings, accepting these terms was mandatory to use Facebook. The general terms referenced Meta’s data and cookie policies, which allowed the company to collect user-related and device-related data about activities both on and off Facebook, linking this information to users’ accounts. Off-Facebook data originated from visits to third-party websites and apps connected through programming interfaces, as well as from other Meta group services, including Instagram and WhatsApp. Before the General Data Protection Regulation (GDPR) took effect, Facebook users explicitly consented to data processing under the terms applicable to that period. Following the GDPR’s implementation on May 25, 2018, Meta adopted new terms of use on April 19, 2018, which Mr. Schrems accepted to regain access to his blocked account.

Under the new terms, Meta implemented tools allowing users to review their stored data, though only data the company deemed interesting and relevant was visible. Users could view specific data such as when they opened an application via their Facebook profile, visited websites, performed searches, made purchases, or clicked on advertisements. Meta utilized “cookies,” “social plug-ins” (most notably the “Like” button), and “pixels” as specified in its terms and policies. Through cookies, Meta could determine the source of visits, and many Meta services could not be used without activating cookie functionality. When third-party websites with Facebook plug-ins were visited, cookies stored on the user’s device, the URL of the visited page, and various log data (including IP addresses and time data) were transmitted to Meta, even without the user clicking the plug-in, as merely loading the page triggered data transmission.

Mr. Schrems argued that Meta was unlawfully processing his personal data. He alleged that Meta collected data not only from his activity on Facebook but also from his visits to third-party websites and apps, including sites of political parties and those targeted at homosexual users. This data was aggregated, analyzed, and used to direct personalized advertising at him. For instance, he received advertising targeting homosexual persons, based on an analysis of his interests and those of his friends. Mr. Schrems had not consented to this processing of his off-Facebook data. He had not posted sensitive data on his profile, limited his profile visibility to friends only, and opted out of allowing Meta to use information from fields such as relationship status, employer, job title, and education for targeted advertising purposes.

Meta defended its actions, arguing that the processing was lawful, not based on consent under Article 6(1)(a) of the GDPR, but primarily because it was necessary for the performance of the contract with the user under Article 6(1)(b) of the GDPR. The relevant legal provisions are primarily Articles 5 (principles relating to processing), 6 (lawfulness of processing), and 9 (processing of special categories of personal data) of the GDPR.

Mr. Schrems initially brought an action before the Landesgericht für Zivilrechtssachen Wien (Regional Court for Civil Matters, Vienna), which dismissed his claims on June 30, 2020. He appealed to the Oberlandesgericht Wien (Higher Regional Court, Vienna), which also dismissed the action on December 7, 2020. That court found that processing data for personalized advertising formed an integral part of the platform’s contract of use and was therefore necessary for its performance under Article 6(1)(b) of the GDPR.

Mr. Schrems then appealed on a point of law to the Oberster Gerichtshof (Supreme Court, Austria), the referring court. The Supreme Court observed that while Meta’s processing of personal data for personalized advertising enables Facebook to offer free services and could be considered necessary for contract performance under Article 6(1)(b), it questioned whether this strictly interpreted provision should permit such processing without user consent. The court further noted that Meta processes data potentially categorized as “sensitive” under Article 9(1) of the GDPR, specifically data relating to Mr. Schrems’ political beliefs and sexual orientation. The court found that on February 12, 2019, during a panel discussion in Vienna at the invitation of the European Commission Representation, Mr. Schrems publicly disclosed his sexual orientation while criticizing Facebook’s data processing practices, though he never mentioned this aspect of his personal life on his Facebook profile. This raised questions about whether he had “manifestly made sensitive personal data public” under the exception in Article 9(2)(e) of the GDPR.

Given these uncertainties, the Austrian Supreme Court stayed proceedings and referred four questions to the Court of Justice for a preliminary ruling. Following the Court’s judgment in a related case (Meta Platforms and Others, C-252/21), the referring court withdrew its first and third questions, maintaining only the second and fourth. These questions concern: whether Article 5(1)(c) (data minimization) permits unlimited aggregation and analysis of personal data for targeted advertising; and whether Article 5(1)(b), read with Article 9(2)(e), permits processing of data concerning sexual orientation for personalized advertising based on statements made in a panel discussion.

As part of the CJEU’s procedure, an Advocate General (“AG”), who is a senior judge, provides an independent legal analysis of the case to assist the Court before its deliberation and final judgment. On 25 April 2024, AG Rantos delivered his Opinion on the questions referred. Regarding the question on data minimization, he agreed that processing without temporal or typological restrictions is, by definition, contrary to Article 5(1)(c). He proposed that the referring court should assess, using the principle of proportionality, whether the data retention period and the amount of data processed are justified for the purpose of personalized advertising. He suggested that distinctions could be drawn based on the intrusiveness of the data processing, such as between “static” and “behavioral” data, data collected on and off the platform, and the reasonable expectations of users. [AG Opin., paras. 20-27]

As for the other question, the Advocate General first noted that Meta had not relied on the Article 9(2)(e) exception in the national proceedings, potentially making the question irrelevant. However, assuming its relevance, he provided an analysis. He concluded that Mr. Schrems’s statement at a public panel discussion was likely an act by which he “manifestly made public” his sexual orientation under Article 9(2)(e). However, he emphasized that this only lifts the “special protection” afforded to sensitive data. Such a public statement does not, in itself, permit the processing of that or other related data. After the exception applies, the data becomes “ordinary,” and any processing must still comply with all other GDPR principles and conditions for lawful processing, including the principle of purpose limitation under Article 5(1)(b). [AG Opin., paras. 34-47]

---

Decision Overview

The Court of Justice of the European Union (Fourth Chamber) delivered the judgment. The main issues before the Court were whether the principle of data minimization (Article 5(1)(c) GDPR) allows a social network operator to aggregate, analyze and process all personal data it holds for targeted advertising, without restrictions on time or data type; and whether a person’s public statement about their sexual orientation, made outside the platform, authorizes the operator to process other data relating to that person’s sexual orientation, obtained from third-party websites and apps, for the purpose of personalized advertising (pursuant to Articles 5(1)(b) and 9(2)(e) GDPR).

Mr. Schrems argued that Meta’s processing of his data, particularly the aggregation of on- and off-platform data for targeted advertising, violated the GDPR, contending that his consent was not valid and that Meta was unlawfully processing his sensitive data. Meta contended that its processing was lawful and was not contingent on the user’s consent under Article 6(1)(a), but was justified under Article 6(1)(b) as being necessary for the performance of the user contract. It also argued that because Mr. Schrems had publicly disclosed his sexual orientation, the prohibition on processing such sensitive data no longer applied under the exception in Article 9(2)(e).

The applicable law for the Court’s determination centered on several key provisions of the GDPR. These include Article 5(1)(b) and (c) (purpose limitation and data minimization), Article 9(1) and (2)(e) (processing of special categories of personal data), Article 5(1)(e) (storage limitation), Article 25(2) (data protection by design and by default), and Articles 7 and 8 of the Charter of Fundamental Rights which guarantee the rights to respect for private life and protection of personal data.

On the Issue of Data Minimization, the Court began by establishing the foundational purpose of the GDPR, which is to ensure a high level of protection for fundamental rights, particularly the right to privacy regarding personal data processing, as enshrined in the Charter and TFEU. The Court emphasized that any data processing must observe both the principles in Article 5 and satisfy the lawfulness conditions in Article 6, while also respecting data subject rights in Articles 12-22. Crucially, the Court noted that the principles in Article 5 apply cumulatively, including lawfulness, fairness, transparency, purpose limitation, and data minimization, with the latter principle requiring that personal data be “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.” [paras. 45-49]

Regarding the temporal limitations on processing, the Court determined that the data minimization principle requires controllers to limit the collection period to what is “strictly necessary” for the processing objective. The Court observed that longer storage periods create a greater impact on privacy rights and require more stringent justification for lawfulness. Article 5(1)(e) imposes a “storage limitation” principle requiring controllers to keep data only as long as necessary for collection purposes, with the Court emphasizing that “even initially lawful processing of data may over time become incompatible with the GDPR” when no longer necessary, necessitating deletion. [para. 56] The Court concluded that storing social network users’ personal data for an unlimited period for targeted advertising constitutes a “disproportionate interference” in users’ GDPR-guaranteed rights. [para. 58]

Regarding the scope of data collection, the Court referred to its previous ruling that controllers may not engage in “generalised and indiscriminate” data collection and must refrain from collecting data not “strictly necessary” for processing purposes. The Court noted that Article 25(2) requires implementing measures to ensure that, by default, only necessary data are processed. In this case, the Court found that Meta’s data collection practices were “particularly extensive,” relating to “potentially unlimited data” and monitoring “a large part – if not almost all – of [users’] online activities,” creating the sensation of “continuously monitored” private life. The Court characterized this as “a serious interference with the fundamental rights of data subjects,” particularly their right to private life and data protection under Articles 7 and 8 of the Charter of Fundamental Rights. [paras. 59-63]

Based on this reasoning, the Court determined that such indiscriminate use of all personal data, regardless of sensitivity level, for advertising purposes is not “a proportionate interference” with platform users’ GDPR-guaranteed rights. [para. 64]

On the issue of processing sexual orientation data, the Court first reaffirmed that Article 9(1) of the GDPR establishes a fundamental prohibition on processing special categories of personal data, such as data concerning sexual orientation, due to the significant risks they pose to fundamental rights. This prohibition applies regardless of whether the information is accurate or what the controller’s stated purpose is. The derogations from this prohibition in Article 9(2) “must be interpreted strictly.” [para. 76] For the specific exception in Article 9(2)(e) regarding data “manifestly made public by the data subject” to apply, the Court stated that the data subject must have intended, “explicitly and by a clear affirmative action, to make the personal data in question accessible to the general public.” [para. 77]

While the Court acknowledged that Mr. Schrems’s statement at a public panel discussion, which was streamed and later published as a podcast and on YouTube, might satisfy this condition for the specific information he disclosed, it drew a sharp limit on the scope of this exception. The Court firmly rejected Meta’s contention that this public statement authorizes the processing of all other data relating to his sexual orientation. It reasoned that accepting Meta’s argument would undermine the strict interpretation required for the exception, noting that “it would be contrary to the restrictive interpretation that should be made of Article 9(2)(e) of the GDPR to find that all data relating to the sexual orientation of a person fall outside the scope of protection under Article 9(1) thereof solely because the data subject has manifestly made public personal data relating to his or her sexual orientation.” [para. 81] The Court also clarified that such a public statement does not equate to giving “explicit consent” under the separate exception in Article 9(2)(a) for processing other data. [para. 82]

In conclusion, the Court held that Article 5(1)(c) of the GDPR must be interpreted as meaning that the principle of data minimization precludes any personal data obtained by a controller, such as the operator of an online social network platform, from the data subject or third parties and collected either on or outside that platform, from being aggregated, analyzed and processed for the purposes of targeted advertising without restriction as to time and without distinction as to type of data. The Court further held that Article 9(2)(e) of the GDPR must be interpreted as meaning that the fact that a person has made a statement about his or her sexual orientation on the occasion of a panel discussion open to the public does not authorize the operator of an online social network platform to process other data relating to that person’s sexual orientation, obtained, as the case may be, outside that platform using partner third-party websites and apps, with a view to aggregating and analyzing those data, in order to offer that person personalized advertising.

---